7.2

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-3586

CVE-2025-3586: Liferay Portal and DXP Instance Admin can execute code using Objects Actions and Validations

In Liferay Portal 7.4.3.27 through 7.4.3.42, and Liferay DXP 2024.Q1.1 through 2024.Q1.20, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 update 27 through update 42 (Liferay PaaS, and Liferay Self-Hosted), the Objects module does not restrict the use of Groovy scripts in Object actions for Admin Users. This allows remote authenticated admin users with the Instance Administrator role to execute arbitrary Groovy scripts (i.e., remote code execution) through Object actions.

In contrast, in Liferay DXP (Liferay SaaS), the use of Groovy in Object actions is not allowed due to the high security risks it poses.

Starting from Liferay DXP 2024.Q2 and later, a new feature has been introduced in Instance Settings that allows administrators to configure whether Groovy scripts are allowed in their instances.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-3586

CVE-2025-3586:

7.2

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.liferay:com.liferay.object.service	maven	< 1.0.96	1.0.96

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability allowed authenticated administrators to execute arbitrary code through Groovy scripts in Object Actions and Validations. The root cause was in the ObjectScriptingExecutorImpl class, which contained an execute method that accepted a language parameter. This allowed the scripting engine to be specified dynamically. An attacker could craft an Object Action or Validation with a malicious script, and when triggered, the GroovyObjectActionExecutorImpl.execute or GroovyObjectValidationRuleEngineImpl.execute methods would call the vulnerable ObjectScriptingExecutorImpl.execute method, leading to remote code execution.

The patches remediate this vulnerability by removing the dynamic language parameter from the script execution flow. The ObjectScriptingExecutorImpl was renamed to GroovyObjectScriptingExecutor and modified to be specific to Groovy scripting, removing the ability to select a different language. The calling classes, GroovyObjectActionExecutorImpl and GroovyObjectValidationRuleEngineImpl, were updated to use this new, safer, language-specific implementation. This ensures that only Groovy scripts can be executed and only through the intended, hardened executor.

Vulnerable functions

com.liferay.object.internal.action.executor.GroovyObjectActionExecutorImpl.execute

modules/apps/object/object-service/src/main/java/com/liferay/object/internal/action/executor/GroovyObjectActionExecutorImpl.java

This function is responsible for executing Groovy scripts for Object Actions. It was part of the vulnerable call chain that passed user-provided scripts to the scripting engine. The patch removes the hardcoded "groovy" language parameter, relying on a more specific, targeted script executor service, which mitigates the ability to control the script engine.

com.liferay.object.internal.validation.rule.GroovyObjectValidationRuleEngineImpl.execute

modules/apps/object/object-service/src/main/java/com/liferay/object/internal/validation/rule/GroovyObjectValidationRuleEngineImpl.java

This function executes Groovy scripts for Object Validation Rules. Similar to the action executor, it was part of the vulnerable call chain. The patch removes the explicit "groovy" language parameter, hardening the implementation by relying on a targeted dependency injection for the script executor.

com.liferay.object.scripting.internal.executor.ObjectScriptingExecutorImpl.execute

modules/apps/object/object-scripting-impl/src/main/java/com/liferay/object/scripting/internal/executor/ObjectScriptingExecutorImpl.java

This function was the core of the vulnerability. It accepted a 'language' parameter and used it to evaluate the provided script, allowing an attacker to specify the script engine. The patch renames the class to 'GroovyObjectScriptingExecutor', removes the 'language' parameter from the method signature, and hardcodes the use of the Groovy scripting engine, thus preventing the execution of scripts in other languages.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.2

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-3586: Liferay Portal and DXP Instance Admin can execute code using Objects Actions and Validations

CVE-2025-3586:

7.2

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-3586: Liferay Portal and DXP Instance Admin can execute code using Objects Actions and Validations

Technical Details

7.2

7.2

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI