Service Access Policy Execution Vulnerability in Liferay Portal and DXP
CVE-2025-43789

1LOW

Key Information:

Vendor

Liferay
Status
Portal
Dxp
Vendor
CVE Published:
12 September 2025

What is CVE-2025-43789?

An identified vulnerability within Liferay Portal versions 7.4.0 to 7.4.3.119 and Liferay DXP versions 2024.Q1.1 to 2024.Q1.9 allows for the direct invocation of registered JSON Web Services classes. This situation can lead to unauthorized execution of Service Access Policies, potentially compromising application security. Users and system administrators are advised to apply recommended patches and updates to mitigate these risks.

Affected Version(s)

DXP 7.4.13 <= 7.4.13-u92

DXP 2024.Q1.1 <= 2024.Q1.9

Portal 7.4.0 <= 7.4.3.119

References

https://liferay.dev/portal/security/known-vulnerabilities...

CVSS V4

Score:
1
Severity:
LOW
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Adjacent Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.