CVE-2025-43758

Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.5, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15 and 7.4 GA through update 92 allows unauthenticated users (guests) to access via URL files uploaded by object entry and stored in document_library

Published: Aug 22, 2025
Updated: Aug 26, 2025
CVE: CVE-2025-43758
GHSA: GHSA-mm62-gwj5-j285
Severity: Medium
Exploit:

No technical information available.

CWEs:

CWE-552

Affected Software
References

Software	From	Fixed in
com.liferay / com.liferay.frontend.js.web	-	5.0.125
com.liferay / com.liferay.object.dynamic.data.mapping.form.field.type	-	1.0.65
com.liferay / com.liferay.object.web	-	1.0.219

https://github.com/liferay/liferay-portal/commit/bf036898c413b6733918f4bfeba59896f1abb34a
https://github.com/liferay/liferay-portal/commit/ff4efcb59b6b9acf548d37787b8d4b3d1126fff8
https://liferay.atlassian.net/browse/LPE-18186
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43758

Vulnerability Database

CVE-2025-43758