CVE-2025-43825

Summary

A vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.4, 2024.Q4.0 through 2024.Q4.5, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 allows sensitive user data to be included in the Freemarker template. This weakness permits an unauthorized actor to gain access to, and potentially render, confidential information that should remain restricted.

Affected Software

VendorProductVersion RangeStatus
LiferayPortal7.4.0 <= 7.4.3.132affected
LiferayDXP2023.Q3.1 <= 2023.Q3.10affected
LiferayDXP2023.Q4.0 <= 2024.Q4.10affected
LiferayDXP2024.Q1.1 <= 2024.Q1.12affected
LiferayDXP2024.Q2.1 <= 2024.Q2.13affected
LiferayDXP2024.Q3.0 <= 2024.Q3.13affected
LiferayDXP2024.Q4.0 <= 2024.Q4.5affected
LiferayDXP2025.Q1.0 <= 2025.Q1.4affected

Weaknesses

  • CWE-201: CWE-201: Insertion of Sensitive Information Into Sent Data

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References