CVE-2025-6384: Crafter Studio Groovy Sandbox Bypass

June 19, 2025 (updated June 20, 2025)

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of CrafterCMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass.

By inserting malicious Groovy elements, an attacker may bypass Sandbox restrictions and obtain RCE (Remote Code Execution).

This issue affects CrafterCMS: from 4.0.0 through 4.2.2.

References

docs.craftercms.org/current/security/advisory.html
github.com/advisories/GHSA-5644-3vgq-2ph5
github.com/craftercms/studio
github.com/craftercms/studio/commit/471bbad07cf1f3b420529a020c1409ad57d48a4e
nvd.nist.gov/vuln/detail/CVE-2025-6384

Code Behaviors & Features

Detect and mitigate CVE-2025-6384 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →