CVE-2025-3594 — Path Traversal in DXP

CWE-22 — Path Traversal CWE-404 — Improper Resource Shutdown or Release6 documents6 sources

Severity

8.6HIGHNVD

EPSS

1.6%

top 18.30%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay DXP Liferay Portal Liferay Digital Experience Platform +1 more

Timeline

PublishedJun 16

Latest updateAug 30

Description

Path traversal vulnerability with the downloading and installation of Xuggler in Liferay Portal 7.0.0 through 7.4.3.4, and Liferay DXP 7.4 GA, 7.3 GA through update 34, and older unsupported versions allows remote attackers to (1) add files to arbitrary locations on the server and (2) download and execute arbitrary files from the download server via the `_com_liferay_server_admin_web_portlet_ServerAdminPortlet_jarName` parameter.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages4 packages

▶CVEListV5liferay/portal7.0.0 — 7.4.3.4

▶NVDliferay/liferay_portal7.0.0 — 7.4.3.4+1

▶CVEListV5liferay/dxp6.2.0 — portal-173+4

▶NVDliferay/digital_experience_platform7.0 — 7.2+2

🔴Vulnerability Details

GHSA

Liferay Portal path traversal vulnerability with the downloading and installation of Xuggler↗2025-06-16

▶

OSV

Liferay Portal path traversal vulnerability with the downloading and installation of Xuggler↗2025-06-16

▶

CVEList

CVE-2025-3594: Path traversal vulnerability with the downloading and installation of Xuggler in Liferay Portal 7↗2025-06-16

▶

📋Vendor Advisories

Red Hat

kernel: f2fs: fix to avoid out-of-boundary access in dnode page↗2025-08-30

▶

Microsoft

Linux Kernel BPF r8152.c intr_callback logging of excessive data↗2022-10-11

▶