CVE-2025-43750

Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.1, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 and 7.4 GA through update 92 allows remote unauthenticated users (guests) to upload files via the form attachment field without proper validation, enabling extension obfuscation and bypassing MIME type checks.

Published: Aug 20, 2025
Updated: Aug 21, 2025
CVE: CVE-2025-43750
GHSA: GHSA-56qj-wp5r-mvhj
Severity: Medium
Exploit:

No technical information available.

CWEs:

CWE-434

Affected Software
References

Software	From	Fixed in
com.liferay / com.liferay.dynamic.data.mapping.form.web	-	4.0.180

https://github.com/liferay/liferay-portal/commit/7f58439723c8373e038d5060d0bc58ff2475bdc5
https://github.com/liferay/liferay-portal/commit/b9e57377cb88bad1775beab50558cc2bd5a9758e
https://liferay.atlassian.net/browse/LPE-18190
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43750

Vulnerability Database

CVE-2025-43750