CVE-2024-25608
Description
HtmlUtil.escapeRedirect in Liferay Portal 7.2.0 through 7.4.3.18, and older unsupported versions, and Liferay DXP 7.4 before update 19, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions can be circumvented by using the 'REPLACEMENT CHARACTER' (U+FFFD), which allows remote attackers to redirect users to arbitrary external URLs via the (1) 'redirect parameter (2) FORWARD_URL parameter, (3) noSuchEntryRedirect` parameter, and (4) others parameters that rely on HtmlUtil.escapeRedirect.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay.portal:release.portal.bomMaven | >= 7.2.0, < 7.4.3.19-ga19 | 7.4.3.19-ga19 |
com.liferay.portal:release.dxp.bomMaven | < 7.2.10.fp19 | 7.2.10.fp19 |
com.liferay.portal:release.dxp.bomMaven | >= 7.3.0, < 7.3.10.u4 | 7.3.10.u4 |
com.liferay.portal:release.dxp.bomMaven | >= 7.4.0, < 7.4.13.u19 | 7.4.13.u19 |
Affected products
2- Liferay/DXPv5Range: 7.4.13
Patches
236adf82ef7a0LPS-144563 Add test
1 file changed · +2 −0
portal-impl/test/unit/com/liferay/portal/util/PortalImplEscapeRedirectTest.java+2 −0 modified@@ -116,6 +116,8 @@ public void testEscapeRedirectWithDomains() throws Exception { Assert.assertNull(_portalImpl.escapeRedirect(":@liferay.com")); Assert.assertNull(_portalImpl.escapeRedirect("http:/web")); Assert.assertNull(_portalImpl.escapeRedirect("http:web")); + Assert.assertNull( + _portalImpl.escapeRedirect("https://google.com\uFFFD@localhost")); } @Test
aea651fa5110LPS-144563 Do not allow unmappable characters
1 file changed · +6 −0
portal-impl/src/com/liferay/portal/util/PortalImpl.java+6 −0 modified@@ -907,6 +907,10 @@ public String escapeRedirect(String url) { return url; } + if (url.contains(_UNICODE_REPLACEMENT_CHARACTER)) { + return null; + } + URI uri = HttpUtil.getURI(url); if (uri == null) { @@ -8764,6 +8768,8 @@ else if (groupFriendlyURL.contains(layoutFriendlyURL)) { private static final String _PUBLIC_GROUP_SERVLET_MAPPING = PropsValues.LAYOUT_FRIENDLY_URL_PUBLIC_SERVLET_MAPPING; + private static final String _UNICODE_REPLACEMENT_CHARACTER = "\uFFFD"; + private static final Log _log = LogFactoryUtil.getLog(PortalImpl.class); private static final Pattern _bannedResourceIdPattern = Pattern.compile(
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-548x-j6x6-hcv4ghsaADVISORY
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25608ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-25608ghsaADVISORY
- github.com/liferay/liferay-portal/commit/36adf82ef7a09c7035d4f19a1982dcde1ae3f6aeghsaWEB
- github.com/liferay/liferay-portal/commit/aea651fa5110934b6a00d93391fac87985e27786ghsaWEB
News mentions
0No linked articles in our index yet.