Security Patch - July 2025 - Jahia 8.1 Portlets

October 29, 2025

Vulnerability

A vulnerability was recently discovered in Jahia, exposing it to a risk of path traversal attack in its Portlets feature

Affected versions

  • All versions up to and including 8.1.8.3

Versions of Jahia 8.2.0.0+ as well as Jahia versions released in or after July 2025 are not affected

Addressing the vulnerability

If you are running Jahia 8.1+, the recommended method for addressing the vulnerability is to upgrade to serverSettings 9.7.4.

  1. Download serverSettings 9.7.4 from Jahia maven repository (MD5: 513feb2257f70e5c11eab568f81da959)
  2. Using Jahia module manager (or provisioning API), update it on your environment
Note that in serverSettings 9.7.4 Portlets were removed, this feature was deprecated since Jahia 8.0.0.0. This can be considered a breaking change if your modules are still relying on these.
The vulnerability can also be addressed by upgrading from Jahia 8.1.x to Jahia 8.2.1.0, but this might be impractical in the context of a security vulnerability due to the effort potentially associated with such an upgrade. See our upgrade guide.

Verifying the update

To verify the update, make sure serverSettings 9.7.4 is present and running. No previous versions of serverSettings should be present in your environment.

Mitigating the vulnerability

If you are running a previous version of Jahia below 8.1.0.0, or if the upgrade is impractical, the vulnerability can also be mitigated without upgrading serverSettings to 9.7.4 by blocking access to the following URL path: /cms/preparedportlets.

In HAProxy, this can be achieved with the following configuration:

acl url_forbidden_preparedportlets path_reg ^.*/.*cms.*/.*preparedportlets.*$
http-request deny if url_forbidden_preparedportlets
Please do not hesitate to reach out to Jahia Support if you have any questions or concerns.