VYPR
← All advisories
High severityNVD Advisory· Published Sep 1, 2025· Updated Feb 26, 2026

CVE-2025-3586

CVE-2025-3586

Description

In Liferay Portal 7.4.3.27 through 7.4.3.42, and Liferay DXP 2024.Q1.1 through 2024.Q1.20, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 update 27 through update 42 (Liferay PaaS, and Liferay Self-Hosted), the Objects module does not restrict the use of Groovy scripts in Object actions for Admin Users. This allows remote authenticated admin users with the Instance Administrator role to execute arbitrary Groovy scripts (i.e., remote code execution) through Object actions.

In contrast, in Liferay DXP (Liferay SaaS), the use of Groovy in Object actions is not allowed due to the high security risks it poses.

Starting from Liferay DXP 2024.Q2 and later, a new feature has been introduced in Instance Settings that allows administrators to configure whether Groovy scripts are allowed in their instances.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.liferay:com.liferay.object.serviceMaven
< 1.0.961.0.96

Affected products

2

Patches

3
79ddc243e608

LPS-156259 Adding target to get the expected implementation

https://github.com/liferay/liferay-portalMateus SantanaAug 15, 2022via ghsa
commit
2 files changed · +4 5
  • modules/apps/object/object-service/src/main/java/com/liferay/object/internal/action/executor/GroovyObjectActionExecutorImpl.java+2 3 modified
    @@ -53,8 +53,7 @@ public void execute(
 			ObjectActionVariablesUtil.toVariables(
 				_dtoConverterRegistry, objectDefinition, payloadJSONObject,
 				_systemObjectDefinitionMetadataTracker),
-			"groovy", new HashSet<>(),
-			parametersUnicodeProperties.get("script"));
+			new HashSet<>(), parametersUnicodeProperties.get("script"));
 
 		if (GetterUtil.getBoolean(results.get("invalidScript"))) {
 			throw new ScriptingException();
@@ -72,7 +71,7 @@ public String getKey() {
 	@Reference
 	private ObjectDefinitionLocalService _objectDefinitionLocalService;
 
-	@Reference
+	@Reference(target = "(scripting.language=groovy)")
 	private ObjectScriptingExecutor _objectScriptingExecutor;
 
 	@Reference
  • modules/apps/object/object-service/src/main/java/com/liferay/object/internal/validation/rule/GroovyObjectValidationRuleEngineImpl.java+2 2 modified
    @@ -36,15 +36,15 @@ public Map<String, Object> execute(
 		Map<String, Object> inputObjects, String script) {
 
 		return _objectScriptingExecutor.execute(
-			inputObjects, "groovy", SetUtil.fromArray("invalidFields"), script);
+			inputObjects, SetUtil.fromArray("invalidFields"), script);
 	}
 
 	@Override
 	public String getName() {
 		return ObjectValidationRuleConstants.ENGINE_TYPE_GROOVY;
 	}
 
-	@Reference
+	@Reference(target = "(scripting.language=groovy)")
 	private ObjectScriptingExecutor _objectScriptingExecutor;
 
 }
\ No newline at end of file
b2aa19be228f

LPS-156259 Rename to Groovy bacause there is only one implementation so far, this way we can short circuit GroovyObjectActionExecutor and GroovyObjectValidationRuleEngine

https://github.com/liferay/liferay-portalMateus SantanaAug 15, 2022via ghsa
commit
2 files changed · +15 12
  • modules/apps/object/object-scripting-api/src/main/java/com/liferay/object/scripting/executor/ObjectScriptingExecutor.java+2 2 modified
    @@ -23,7 +23,7 @@
 public interface ObjectScriptingExecutor {
 
 	public Map<String, Object> execute(
-		Map<String, Object> inputObjects, String language,
-		Set<String> outputNames, String script);
+		Map<String, Object> inputObjects, Set<String> outputNames,
+		String script);
 
 }
\ No newline at end of file
  • modules/apps/object/object-scripting-impl/src/main/java/com/liferay/object/scripting/internal/executor/GroovyObjectScriptingExecutor.java+13 10 renamed
    @@ -17,7 +17,7 @@
 import com.liferay.object.scripting.executor.ObjectScriptingExecutor;
 import com.liferay.portal.kernel.log.Log;
 import com.liferay.portal.kernel.log.LogFactoryUtil;
-import com.liferay.portal.kernel.scripting.Scripting;
+import com.liferay.portal.kernel.scripting.ScriptingExecutor;
 
 import java.util.HashMap;
 import java.util.Map;
@@ -29,13 +29,16 @@
 /**
  * @author Feliphe Marinho
  */
-@Component(immediate = true, service = ObjectScriptingExecutor.class)
-public class ObjectScriptingExecutorImpl implements ObjectScriptingExecutor {
+@Component(
+	immediate = true, property = "scripting.language=groovy",
+	service = ObjectScriptingExecutor.class
+)
+public class GroovyObjectScriptingExecutor implements ObjectScriptingExecutor {
 
 	@Override
 	public Map<String, Object> execute(
-		Map<String, Object> inputObjects, String language,
-		Set<String> outputNames, String script) {
+		Map<String, Object> inputObjects, Set<String> outputNames,
+		String script) {
 
 		Thread currentThread = Thread.currentThread();
 
@@ -48,8 +51,8 @@ public Map<String, Object> execute(
 		currentThread.setContextClassLoader(clazz.getClassLoader());
 
 		try {
-			results = _scripting.eval(
-				null, inputObjects, outputNames, language, script);
+			results = _scriptingExecutor.eval(
+				null, inputObjects, outputNames, script);
 
 			results.put("invalidScript", false);
 		}
@@ -66,9 +69,9 @@ public Map<String, Object> execute(
 	}
 
 	private static final Log _log = LogFactoryUtil.getLog(
-		ObjectScriptingExecutorImpl.class);
+		GroovyObjectScriptingExecutor.class);
 
-	@Reference
-	private Scripting _scripting;
+	@Reference(target = "(scripting.language=groovy)")
+	private ScriptingExecutor _scriptingExecutor;
 
 }
\ No newline at end of file
3b9e3bb1462c

LPS-156259 Blacklist com.liferay.portal.scripting.groovy for LXC

https://github.com/liferay/liferay-portalMateus SantanaAug 9, 2022via ghsa
commit
1 file changed · +1 0
  • portal-impl/src/portal-liferay-online-config.properties+1 0 modified
    @@ -57,6 +57,7 @@ configuration.override.com.liferay.portal.bundle.blacklist.internal.configuratio
     "com.liferay.marketplace.store.web",\
     "com.liferay.nested.portlets.web",\
     "com.liferay.plugins.admin.web",\
+    "com.liferay.portal.scripting.groovy",\
     "com.liferay.portal.security.sso.facebook.connect.api",\
     "com.liferay.portal.security.sso.facebook.connect.impl",\
     "com.liferay.portal.security.sso.opensso.api",\

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.