CVE-2025-3586
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-01

Last updated on: 2025-12-12

Assigner: Liferay Inc.

Description
In Liferay Portal 7.4.3.27 through 7.4.3.42, and Liferay DXP 2024.Q1.1 through 2024.Q1.20, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 update 27 through update 42 (Liferay PaaS, and Liferay Self-Hosted), the Objects module does not restrict the use of Groovy scripts in Object actions for Admin Users. This allows remote authenticated admin users with the Instance Administrator role to execute arbitrary Groovy scripts (i.e., remote code execution) through Object actions. In contrast, in Liferay DXP (Liferay SaaS), the use of Groovy in Object actions is not allowed due to the high security risks it poses. Starting from Liferay DXP 2024.Q2 and later, a new feature has been introduced in Instance Settings that allows administrators to configure whether Groovy scripts are allowed in their instances.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-01
Last Modified
2025-12-12
Generated
2026-05-07
AI Q&A
2025-09-01
EPSS Evaluated
2026-05-05
NVD
CVE-2025-3586
EUVD
EUVD-2025-26484
Affected Vendors & Products
Showing 20 associated CPEs
Vendor Product Version / Range
liferay digital_experience_platform From 2023.Q3.1 (inc) to 2023.Q3.10 (inc)
liferay digital_experience_platform From 2023.q4.0 (inc) to 2023.q4.10 (inc)
liferay digital_experience_platform From 2024.Q1.1 (inc) to 2024.Q1.20 (inc)
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay liferay_portal From 7.4.3.27 (inc) to 7.4.3.43 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in certain versions of Liferay Portal and Liferay DXP where the Objects module does not restrict the use of Groovy scripts in Object actions for users with the Instance Administrator role. This flaw allows remote authenticated administrators to execute arbitrary Groovy scripts, leading to remote code execution (RCE). Essentially, an attacker with admin privileges can run any code they want on the affected system through these scripts. [1]


How can this vulnerability impact me? :

If exploited, this vulnerability allows a remote authenticated administrator to execute arbitrary code on the affected system. This can lead to full system compromise, unauthorized access, data theft, disruption of services, or further attacks within the network. Because it involves remote code execution by privileged users, the impact is significant and can severely affect the security and integrity of the system. [1]


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, immediately upgrade affected Liferay Portal and Liferay DXP instances to fixed versions: Liferay Portal 7.4.3.43 or later, Liferay DXP 2024.Q2.0 or later, or Liferay DXP 2024.Q3.0 or later. Additionally, for versions 2024.Q2 and later, use the new Instance Settings feature to disable or restrict the use of Groovy scripts in Object actions to prevent remote code execution by administrators. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart