7.2

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-57738

GHSA ID

GHSA-825g-mm5v-ggq4

EPSS Score

CWE

CWE-653

Published

10/20/2025

Updated

10/20/2025

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-57738

CVE-2025-57738: Apache Syncope allows malicious administrators to inject Groovy code

Apache Syncope offers the ability to extend / customize the base behavior on every deployment by allowing to provide custom implementations of a few Java interfaces; such implementations can be provided either as Java or Groovy classes, with the latter being particularly attractive as the machinery is set for runtime reload. Such a feature has been available for a while, but recently it was discovered that a malicious administrator can inject Groovy code that can be executed remotely by a running Apache Syncope Core instance. Users are recommended to upgrade to version 3.0.14 / 4.0.2, which fix this issue by forcing the Groovy code to run in a sandbox.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-57738

CVE-2025-57738:

7.2

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-57738

GHSA ID

GHSA-825g-mm5v-ggq4

EPSS Score

CWE

CWE-653

Published

10/20/2025

Updated

10/20/2025

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.syncope.core:syncope-core-spring	maven	< 3.0.14	3.0.14
org.apache.syncope.core:syncope-core-spring	maven	>= 4.0.0-M0, < 4.0.2	4.0.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the ability of a malicious administrator to inject and execute arbitrary Groovy code. The analysis of the provided patches reveals that the org.apache.syncope.core.spring.implementation.ImplementationManager class is responsible for loading and instantiating these Groovy scripts. The build methods within this class, and the methods that use them (buildReportJobDelegate, buildAccountRule, etc.), were creating instances of these scripts without any security restrictions. This allowed the Groovy code to run with the same permissions as the Apache Syncope application, leading to a remote code execution vulnerability.

The patch addresses this by introducing a sandboxing mechanism using groovy-security-sandbox. A new GroovySandbox aspect is created and applied to all Groovy implementations when they are built. This is done within the new createBean method in ImplementationManager, which is now called by all the build methods. The sandbox restricts the operations that the Groovy code can perform by enforcing a blacklist of dangerous methods and classes, effectively mitigating the remote code execution risk. The identified vulnerable functions are the build methods in ImplementationManager that were modified to incorporate this sandboxing, as they were the entry points for creating the unsandboxed, vulnerable objects.

Vulnerable functions

org.apache.syncope.core.spring.implementation.ImplementationManager.build

core/spring/src/main/java/org/apache/syncope/core/spring/implementation/ImplementationManager.java

The `build` methods in `ImplementationManager` are responsible for creating instances of implementations, including those written in Groovy. Before the patch, these methods would directly create a bean from the provided Groovy class without any security restrictions. This allowed any user-provided Groovy code to be executed with the full privileges of the Apache Syncope Core instance, leading to remote code execution. The patch introduces a sandboxing mechanism by wrapping the Groovy beans in a proxy that enforces a security policy, thus mitigating the vulnerability.

org.apache.syncope.core.spring.implementation.ImplementationManager.buildReportJobDelegate

core/spring/src/main/java/org/apache/syncope/core/spring/implementation/ImplementationManager.java

This method builds a `ReportJobDelegate` implementation. It was vulnerable because it used the insecure `build` method to instantiate Groovy-based implementations without sandboxing, allowing for remote code execution.

org.apache.syncope.core.spring.implementation.ImplementationManager.buildAccountRule

core/spring/src/main/java/org/apache/syncope/core/spring/implementation/ImplementationManager.java

This method builds an `AccountRule` implementation. It was vulnerable because it used the insecure `build` method to instantiate Groovy-based implementations without sandboxing, allowing for remote code execution.

org.apache.syncope.core.spring.implementation.ImplementationManager.buildPasswordRule

core/spring/src/main/java/org/apache/syncope/core/spring/implementation/ImplementationManager.java

This method builds a `PasswordRule` implementation. It was vulnerable because it used the insecure `build` method to instantiate Groovy-based implementations without sandboxing, allowing for remote code execution.

org.apache.syncope.core.spring.implementation.ImplementationManager.buildPullCorrelationRule

core/spring/src/main/java/org/apache/syncope/core/spring/implementation/ImplementationManager.java

This method builds a `PullCorrelationRule` implementation. It was vulnerable because it used the insecure `build` method to instantiate Groovy-based implementations without sandboxing, allowing for remote code execution.

org.apache.syncope.core.spring.implementation.ImplementationManager.buildPushCorrelationRule

core/spring/src/main/java/org/apache/syncope/core/spring/implementation/ImplementationManager.java

This method builds a `PushCorrelationRule` implementation. It was vulnerable because it used the insecure `build` method to instantiate Groovy-based implementations without sandboxing, allowing for remote code execution.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.2

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-57738: Apache Syncope allows malicious administrators to inject Groovy code

CVE-2025-57738:

7.2

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2025-57738: Apache Syncope allows malicious administrators to inject Groovy code

Basic Information

Basic Information

7.2

7.2

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI