CVE-2025-43790

Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.6, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows remote authenticated users to from one virtual instance to access, create, edit, relate data/object entries/definitions to an object in a different virtual instance.

Published: Sep 11, 2025
Updated: Sep 13, 2025
CVE: CVE-2025-43790
GHSA: GHSA-5wxc-3jfw-w94p
Severity: High
Exploit:

No technical information available.

CWEs:

CWE-639

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
com.liferay / com.liferay.object.service	-	1.0.197

https://github.com/liferay/liferay-portal
https://github.com/liferay/liferay-portal/commit/66b9a7dc4d40a10dec03e169ca8735add81e9bd9
https://liferay.atlassian.net/browse/LPE-18065
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43790

Vulnerability Database

CVE-2025-43790