Vulnerability Database

300,214

Total vulnerabilities in the database

CVE-2025-4581

Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.4 ,2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15, 7.4 GA through update 92 allows a pre-authentication blind SSRF vulnerability in the portal-settings-authentication-opensso-web due to improper validation of user-supplied URLs. An attacker can exploit this issue to force the server to make arbitrary HTTP requests to internal systems, potentially leading to internal network enumeration or further exploitation.

Published: Aug 9, 2025
Updated: Aug 20, 2025
CVE: CVE-2025-4581
GHSA: GHSA-6v93-frf9-2rp8
Severity: Medium
Exploit:

No technical information available.

CWEs:

CWE-918

Affected Software
References

Software	From	Fixed in
com.liferay.portal / release.portal.bom	7.4.0	7.4.3.132.x
com.liferay.portal / release.dxp.bom	2025.Q1.0	2025.Q1.5
com.liferay.portal / release.dxp.bom	2024.Q4.0	2024.q4.7.x
com.liferay.portal / release.dxp.bom	2024.Q3.1	2024.q3.13.x
com.liferay.portal / release.dxp.bom	2024.Q2.0	2024.q2.13.x
com.liferay.portal / release.dxp.bom	2024.Q1.0	2024.Q1.16
com.liferay.portal / release.dxp.bom	-	7.4.13.u92.x

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-4581

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo