Apache Syncope Groovy Flaw Allows Remote Code Injection

Apache Syncope, has disclosed a critical security vulnerability that allows authenticated administrators to execute arbitrary code on affected systems.

The flaw, tracked as CVE-2025-57738, impacts all Apache Syncope versions 3.x before 3.0.14 and 4.x before 4.0.2, exposing organisations to potential system compromise through malicious Groovy code injection.​

Vulnerability Details and Attack Mechanism

The vulnerability exists in Apache Syncope’s custom implementation engine, which allows administrators to extend core functionality by uploading custom Java or Groovy code, as reported by Researchers.

While Java implementations require compiled JAR files, Groovy implementations can be uploaded as source code and compiled at runtime for hot-reloading capabilities.

The critical flaw lies in how unpatched versions handle Groovy code execution without any sandbox restrictions or security controls.​

On vulnerable versions, Syncope uses a plain GroovyClassLoader to compile and execute administrator-supplied Groovy code with the full privileges of the ...