Platform
java
Component
com.liferay:com.liferay.server.admin.web
Fixed in
7.4.4
173.0.1
102.0.1
28.0.1
20.0.1
7.3.11
5.0.24
CVE-2025-3594 describes a Path Traversal vulnerability discovered in Liferay Portal and DXP. This flaw allows an attacker to upload and execute arbitrary files on the server, potentially leading to complete system compromise. The vulnerability impacts Liferay Portal versions up to 5.0.9 and DXP versions 7.0.0 through 7.4.3.4. A fix is available in Liferay Portal 5.0.24.
The core impact of CVE-2025-3594 lies in its ability to bypass access controls and manipulate the server's file system. An attacker could leverage this vulnerability to upload malicious JAR files containing arbitrary code, which would then be executed by the Liferay Portal server. This could lead to remote code execution (RCE), allowing the attacker to gain control of the server and potentially access sensitive data, modify configurations, or install persistent backdoors. The ability to download and execute arbitrary files significantly expands the attack surface, enabling attackers to escalate privileges and move laterally within the network if the server has access to other resources. This vulnerability shares similarities with other file upload vulnerabilities where insufficient validation allows for arbitrary file manipulation.
CVE-2025-3594 was published on 2025-06-16. As of this date, there is no indication of active exploitation in the wild. Public proof-of-concept (POC) code is not yet available, but the vulnerability's ease of exploitation suggests it could become a target for opportunistic attackers. The vulnerability has not been added to the CISA KEV catalog. Monitor security advisories and threat intelligence feeds for any updates regarding exploitation attempts.
Exploit Status
EPSS
0.46% (64% percentile)
CISA SSVC
The primary mitigation for CVE-2025-3594 is to upgrade Liferay Portal to version 5.0.24 or later. If an immediate upgrade is not feasible, consider implementing temporary workarounds. These may include restricting access to the comliferayserveradminwebportletServerAdminPortletjarName parameter through a Web Application Firewall (WAF) or proxy server. Carefully review and restrict file upload permissions within the Liferay Portal configuration. Implement strict input validation on all user-supplied data to prevent path traversal attempts. After upgrading, confirm the vulnerability is resolved by attempting to upload a test file with a deliberately invalid path to ensure access controls are enforced.
Actualice Liferay Portal a una versión que haya solucionado la vulnerabilidad de path traversal. Consulte el anuncio de seguridad de Liferay para obtener más detalles sobre las versiones corregidas y las instrucciones de actualización.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-3594 is a Path Traversal vulnerability in Liferay Portal and DXP allowing attackers to upload and execute arbitrary files. It impacts versions ≤5.0.9 and DXP versions 7.0.0 through 7.4.3.4.
You are affected if you are running Liferay Portal versions ≤5.0.9 or DXP versions 7.0.0 through 7.4.3.4. Check your version and upgrade accordingly.
Upgrade to Liferay Portal 5.0.24 or later. If immediate upgrade is not possible, implement WAF rules and restrict file upload permissions.
As of 2025-06-16, there is no confirmed active exploitation, but the vulnerability's nature suggests it could become a target.
Refer to the official Liferay security advisory for detailed information and updates: [https://www.liferay.com/security/advisory/liferay-portal-and-dxp-security-vulnerability-cve-2025-3594]
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.