CVE-2025-3594: 
Java vulnerability analysis and mitigation

A path traversal vulnerability was discovered in Liferay Portal versions 7.0.0 through 7.4.3.4 and Liferay DXP (7.4 GA, 7.3 GA through Update 34, and older unsupported versions). The vulnerability was disclosed on June 16, 2025, and has been assigned identifier CVE-2025-3594. This security flaw affects the downloading and installation functionality of Xuggler in the affected Liferay products (NVD, Liferay Security).

The vulnerability exists in the comliferayserveradminwebportletServerAdminPortletjarName parameter and has been classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). It has been assigned a CVSS v4.0 score of 8.6 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N (NVD, Wiz).

The vulnerability enables remote attackers to perform two critical actions: (1) add files to arbitrary locations on the server and (2) download and execute arbitrary files from the download server. This can lead to unauthorized file operations on the server, potentially allowing attackers to compromise system security through arbitrary file manipulation and execution (Liferay Security, Wiz).

Users are advised to upgrade to either Liferay Portal version 7.4.3.5-ga5 or Liferay DXP 7.3 Update 35, which contain fixes for this vulnerability (Liferay Security).