Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of CrafterCMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass.
By inserting malicious Groovy elements, an attacker may bypass Sandbox restrictions and obtain RCE (Remote Code Execution).
This issue affects CrafterCMS: from 4.0.0 through 4.2.2.
AnalysisAI
Critical Remote Code Execution vulnerability in CrafterCMS Crafter Studio that allows authenticated developers to bypass Groovy Sandbox restrictions and execute arbitrary OS commands through malicious Groovy code injection. This affects CrafterCMS versions 4.0.0 through 4.2.2, and while it requires high-privilege authentication (developer role), the ability to achieve RCE with high-impact consequences (confidentiality, integrity, and availability compromise across system boundaries) makes this a severe issue worthy of immediate patching.
Technical ContextAI
CrafterCMS Crafter Studio uses a Groovy Sandbox to safely execute user-supplied Groovy code in dynamic code resources (CWE-913: Improper Control of Dynamically-Managed Code Resources). The vulnerability stems from insufficient sandbox restriction enforcement—an authenticated developer can craft malicious Groovy expressions that circumvent sandbox protections and execute arbitrary OS commands with the privileges of the CrafterCMS application server process. This is a classic sandbox escape vulnerability where the security boundary intended to isolate untrusted code execution is bypassed through Groovy language features or reflection techniques. The affected product is CrafterCMS (CPE: cpe:2.3:a:craftercms:craftercms) in versions 4.0.0 through 4.2.2, specifically the Crafter Studio component which provides administrative interfaces and dynamic code capabilities.
RemediationAI
Upgrade CrafterCMS to version 4.2.3 or later (version immediately following 4.2.2); priority: Critical; timeline: Immediate (same business day if possible) Interim Mitigation: Restrict developer account access in Crafter Studio to only trusted personnel; audit and revoke unnecessary developer role assignments; priority: High; timeline: Immediate Interim Mitigation: Monitor and audit all dynamic code resource modifications and execution logs in CrafterCMS for suspicious Groovy expressions or OS command patterns; priority: High; timeline: Implement within 24 hours Interim Mitigation: Isolate CrafterCMS Crafter Studio administrative interfaces behind additional network access controls (VPN, IP whitelisting, WAF rules) to reduce attack surface for credential compromise; priority: Medium; timeline: Implement within 48 hours Detection: Enable comprehensive audit logging for Groovy code execution and OS command invocation within CrafterCMS; alert on patterns including reflection, Runtime.exec(), ProcessBuilder, or System properties access; priority: High; timeline: Implement before patching window
More in Craftercms
View allImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CrafterCMS Engine
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output i
Transmission of Private Resources into a New Sphere ('Resource Leak') vulnerability in CrafterCMS Engine on Linux, MacOS
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-18697
GHSA-5644-3vgq-2ph5