CVE-2025-3594: 
Java vulnerability analysis and mitigation

A path traversal vulnerability has been identified in Liferay Portal versions 7.0.0 through 7.4.3.4 and Liferay DXP versions (7.4 GA, 7.3 GA through Update 34, and older unsupported versions). The vulnerability was discovered and disclosed on June 16, 2025 (NVD).

The vulnerability allows remote attackers to add files to arbitrary locations on the server and download and execute arbitrary files from the download server through the _com_liferay_server_admin_web_portlet_ServerAdminPortlet_jarName parameter. The vulnerability has been assigned a CVSS v4.0 score of 8.6 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (NVD, Liferay Security).

The vulnerability can lead to unauthorized file operations on the server, potentially allowing attackers to compromise system security through arbitrary file manipulation and execution (Liferay Security).

Users are advised to upgrade to Liferay Portal version 7.4.3.5-ga5 or Liferay DXP 7.3 Update 35, which contain fixes for this vulnerability (Liferay Security).