High severityNVD Advisory· Published Jun 16, 2025· Updated Feb 26, 2026

CVE-2025-3594

Description

Path traversal vulnerability with the downloading and installation of Xuggler in Liferay Portal 7.0.0 through 7.4.3.4, and Liferay DXP 7.4 GA, 7.3 GA through update 34, and older unsupported versions allows remote attackers to (1) add files to arbitrary locations on the server and (2) download and execute arbitrary files from the download server via the _com_liferay_server_admin_web_portlet_ServerAdminPortlet_jarName parameter.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
com.liferay:com.liferay.server.admin.webMaven	>= 5.0.0, < 5.0.24	5.0.24
com.liferay:com.liferay.server.admin.webMaven	>= 4.0.0, < 4.0.48	4.0.48
com.liferay:com.liferay.server.admin.webMaven	>= 3.0.0, < 3.0.67	3.0.67
com.liferay:com.liferay.server.admin.webMaven	>= 2.0.0, < 2.0.66	2.0.66
com.liferay:com.liferay.server.admin.webMaven	< 1.0.93	1.0.93

Affected products

Liferay/Portalv5
Range: 7.0.0
Liferay/DXPv5
Range: 6.2.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-p73j-gpcq-49h8ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-3594ghsaADVISORY
liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-3594ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000