Which versions of Digital Experience Platform are affected by CVE-2025-43789?

CVE-2025-43789 is a low-severity vulnerability in Liferay Portal 7.4.0 (CVSS 1.0).. A patch is available.

How to fix or mitigate CVE-2025-43789?

During next maintenance window: Apply vendor patches when convenient. Monitor vendor channels for updates.

Digital Experience Platform CVE-2025-43789

Q: What is the CVSS score of CVE-2025-43789?

CVE-2025-43789 has a CVSS 4.0 base score of 1.0 (Low). CVSS vector: CVSS:4.0/AV:A/AC:H/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

LOW

Incorrect Authorization (CWE-863)

2025-09-12 security@liferay.com

Authentication Bypass Digital Experience Platform Liferay Portal

1.0

CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:A/AC:H/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Adjacent

Attack Complexity

High

Privileges Required

Low

User Interaction

Scope

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 28, 2026 - 19:11 vuln.today

CVE Published

Sep 12, 2025 - 03:15 nvd

LOW 1.0

DescriptionNVD

JSON Web Services in Liferay Portal 7.4.0 through 7.4.3.119, and Liferay DXP 2024.Q1.1 through 2024.Q1.9, 7.4 GA through update 92 published to OSGi are registered and invoked directly as classes which allows Service Access Policies get executed.

AnalysisAI

JSON Web Services in Liferay Portal 7.4.0 through 7.4.3.119, and Liferay DXP 2024.Q1.1 through 2024.Q1.9, 7.4 GA through update 92 published to OSGi are registered and invoked directly as classes. Rated low severity (CVSS 1.0). No vendor patch available.

Technical ContextAI

This vulnerability is classified as Incorrect Authorization (CWE-863), which allows attackers to bypass authorization checks to access restricted resources. JSON Web Services in Liferay Portal 7.4.0 through 7.4.3.119, and Liferay DXP 2024.Q1.1 through 2024.Q1.9, 7.4 GA through update 92 published to OSGi are registered and invoked directly as classes which allows Service Access Policies get executed. Affected products include: Liferay Digital Experience Platform, Liferay Liferay Portal. Version information: through 7.4.3.119.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Review and test authorization logic, implement consistent access control checks, use centralized authorization framework.

CVE-2025-43789 vulnerability details – vuln.today

Back