CVE-2025-6384 – org.craftercms:crafter-studio

Package

Manager: maven
Name: org.craftercms:crafter-studio
Vulnerable Version: >=4.0.0 <4.3.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.00037 pctl0.09723

Details

Crafter Studio Groovy Sandbox Bypass Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of CrafterCMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass. By inserting malicious Groovy elements, an attacker may bypass Sandbox restrictions and obtain RCE (Remote Code Execution). This issue affects CrafterCMS: from 4.0.0 through 4.2.2.

Metadata

Created: 2025-06-19T21:31:20Z
Modified: 2025-06-20T13:28:38Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-5644-3vgq-2ph5/GHSA-5644-3vgq-2ph5.json
CWE IDs: ["CWE-913"]
Alternative ID: GHSA-5644-3vgq-2ph5
Finding: F039
Auto approve: 1