Moderate severityNVD Advisory· Published Oct 10, 2025· Updated Oct 10, 2025
CVE-2025-62239
CVE-2025-62239
Description
Cross-site scripting (XSS) vulnerability in workflow process builder in Liferay Portal 7.4.3.21 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 21 through update 92 allows remote authenticated attackers to inject arbitrary web script or HTML via the crafted input in a workflow definition.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay:com.liferay.portal.workflow.kaleo.designer.webMaven | >= 5.0.56, < 5.0.124 | 5.0.124 |
Affected products
2- Liferay/DXPv5Range: 7.4.13-u21
Patches
13acad2d86836LPD-15212 Check the workflow XML file for malicious content
2 files changed · +40 −1
modules/dxp/apps/portal-workflow/portal-workflow-kaleo-designer-web/src/main/resources/META-INF/resources/designer/js/definition-builder/source-builder/SourceBuilder.js+24 −1 modified@@ -18,6 +18,8 @@ import {editorConfig} from '../constants'; import {xmlNamespace} from './constants'; import {serializeDefinition} from './serializeUtil'; +const REGEX_ALERT = /alert\((.*?)\)/; + export default function SourceBuilder() { const { currentEditor, @@ -53,6 +55,22 @@ export default function SourceBuilder() { ); if (xmlContent) { + const codeEditor = document.querySelector( + 'div.cke_contents' + ); + + codeEditor.addEventListener('keyup', () => { + if (currentEditor.getData() !== xmlContent) { + const newXmlContent = currentEditor.getData(); + const sanitizedXmlContent = newXmlContent.replace( + REGEX_ALERT, + '' + ); + + currentEditor.setData(sanitizedXmlContent); + } + }); + currentEditor.setData(xmlContent); setLoading(false); @@ -109,7 +127,12 @@ export default function SourceBuilder() { reader.onloadend = (event) => { if (event.target.readyState === FileReader.DONE) { - currentEditor.setData(event.target.result); + const sanitizedData = event.target.result.replace( + REGEX_ALERT, + '' + ); + + currentEditor.setData(sanitizedData); const fileInput = document.querySelector('#fileInput');
modules/dxp/apps/portal-workflow/portal-workflow-kaleo-designer-web/src/main/resources/META-INF/resources/designer/js/definition-builder/source-builder/xmlUtil.js+16 −0 modified@@ -20,9 +20,13 @@ import { } from './constants'; const XMLUtil = { + REGEX_INNER_HTML: /innerHTML\s*=\s*.*?/, + REGEX_ON_ERROR: /onerror\s*=\s*.*?/, + REGEX_SRC: /src\s*=\s*.*?/, REGEX_TOKEN_1: /.+<\/\w[^>]*>$/, REGEX_TOKEN_2: /^<\/\w/, REGEX_TOKEN_3: /^<\w[^>]*[^/]>.*$/, + REGEX_URL: /url\s*=\s*.*?/, create(name, content, attrs) { const instance = this; @@ -165,8 +169,20 @@ const XMLUtil = { let valid = true; + const maliciousContent = [ + this.REGEX_INNER_HTML, + this.REGEX_ON_ERROR, + this.REGEX_SRC, + this.REGEX_URL, + ]; + + const maliciousContentValidation = maliciousContent.some((item) => + new RegExp(item).test(definition) + ); + if ( xmlDoc === null || + maliciousContentValidation || xmlDoc.documentElement === null || xmlDoc.querySelector('parsererror') ) {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-xcvw-hh99-qm73ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-62239ghsaADVISORY
- github.com/liferay/liferay-portal/commit/3acad2d8683688ce022abf2dfbab9fb500c5a619ghsaWEB
- liferay.atlassian.net/browse/LPE-17919ghsaWEB
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62239ghsaWEB
News mentions
0No linked articles in our index yet.