Home > Vulnerability Database > CVE-2025-3594

Mend.io Vulnerability Database

CVE-2025-3594

Good to know:

Date: June 16, 2025

Path traversal vulnerability with the downloading and installation of Xuggler in Liferay Portal 7.0.0 through 7.4.3.4, and Liferay DXP 7.4 GA, 7.3 GA through update 34, and older unsupported versions allows remote attackers to (1) add files to arbitrary locations on the server and (2) download and execute arbitrary files from the download server via the "_com_liferay_server_admin_web_portlet_ServerAdminPortlet_jarName" parameter.

Severity Score

8.8

Related Resources (4)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-3594

Url: https://github.com/liferay/liferay-portal

Url: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-3594

Url: https://www.mend.io/vulnerability-database/CVE-2025-3594

Severity Score

8.8

Weakness Type (CWE)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

Top Fix

Upgrade Version

Upgrade to version com.liferay:com.liferay.server.admin.web:5.0.24;com.liferay:com.liferay.server.admin.web:4.0.48;com.liferay:com.liferay.server.admin.web:3.0.67;com.liferay:com.liferay.server.admin.web:2.0.66;com.liferay:com.liferay.server.admin.web:1.0.93

Learn More

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-3594

Good to know:

Date: June 16, 2025

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?