CVE-2025-6384

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-6384

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-6384.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-6384

Aliases

GHSA-5644-3vgq-2ph5

Published

2025-06-19T21:15:27.390Z

Modified

2026-04-10T05:33:37.682448Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of CrafterCMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass.

By inserting malicious Groovy elements, an attacker may bypass Sandbox restrictions and obtain RCE (Remote Code Execution).

This issue affects CrafterCMS: from 4.0.0 through 4.2.2.

References

https://docs.craftercms.org/current/security/advisory.html#cv-2025061901

Affected packages

Git / github.com/craftercms/craftercms

Affected ranges

Type

GIT

Repo

https://github.com/craftercms/craftercms

Events

Introduced

d5dabb5ca2dd63517f457201749aad71b02435f5

Fixed

572a4d7b97f7543749268c3c0b806d252866a070

Database specific

{
    "versions": [
        {
            "introduced": "4.0.0"
        },
        {
            "fixed": "4.3.0"
        }
    ]
}

Affected versions

v4.*

v4.0.0

v4.0.1

v4.0.2

v4.0.3

v4.1.1

v4.1.2

v4.2.0

v4.2.2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-6384.json"