Server-Side Request Forgery Vulnerability in Liferay Digital Experience Platform
CVE-2025-43747

4.8MEDIUM

Key Information:

Vendor: Liferay
Status: Dxp
Vendor: CVE Published:; 21 August 2025

What is CVE-2025-43747?

A server-side request forgery (SSRF) vulnerability exists in Liferay DXP from versions 2025.Q2.0 through 2025.Q2.3. This issue arises from inadequate validation of domains specified in the analytics.cloud.domain.allowed setting. As a consequence, an attacker can manipulate requests to bypass security checks, allowing potentially malicious domains to be treated as trusted. This vulnerability does not differentiate between legitimate subdomains and those that are harmful, opening avenues for exploitation that could lead to unauthorized access and data exposure.

Affected Version(s)

DXP 2025.Q2.0 <= 2025.Q2.3

References

https://liferay.dev/portal/security/known-vulnerabilities...

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 21, 2025
Vulnerability Reserved
Apr 17, 2025