CVE-2025-43747
📋 TL;DR
This SSRF vulnerability in Liferay DXP allows attackers to bypass domain validation and make unauthorized server requests. Attackers can potentially access internal systems or services by exploiting insecure validation of the analytics.cloud.domain.allowed setting. Organizations running affected Liferay DXP versions are vulnerable.
💻 Affected Systems
- Liferay DXP
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains access to internal systems, exfiltrates sensitive data, or performs lateral movement within the network by exploiting internal services.
Likely Case
Attacker accesses internal APIs, metadata services, or cloud resources, potentially leading to data exposure or service disruption.
If Mitigated
Limited to probing internal network structure or accessing non-critical internal endpoints if proper network segmentation exists.
🎯 Exploit Status
Requires ability to modify domain settings; typically requires authenticated access to Liferay administration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Liferay DXP 2025.Q2.4 or later
Vendor Advisory: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43747
Restart Required: No
Instructions:
1. Upgrade to Liferay DXP 2025.Q2.4 or later. 2. Apply patch through Liferay's patch management system. 3. Verify analytics.cloud.domain.allowed validation is functioning correctly.
🔧 Temporary Workarounds
Restrict analytics.cloud.domain.allowed
allLimit allowed domains to only trusted, specific domains rather than using wildcards or broad patterns.
Set analytics.cloud.domain.allowed to specific trusted domains only
Network segmentation
allImplement network controls to restrict Liferay server's outbound connections to only necessary services.
Configure firewall rules to limit outbound connections from Liferay server
🧯 If You Can't Patch
- Implement strict egress filtering to limit Liferay server's outbound network access
- Monitor and alert on unusual outbound connections from Liferay servers
🔍 How to Verify
Check if Vulnerable:
Check Liferay DXP version and verify if analytics.cloud.domain.allowed validation can be bypassed by testing with controlled domains.Check Version:
Check Liferay Control Panel → Configuration → Server Administration → System InformationVerify Fix Applied:
After patching, test that domain validation properly rejects unauthorized domains and subdomains.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from Liferay server
- Failed domain validation attempts in logs
- Requests to internal IP addresses or metadata services
Network Indicators:
- Liferay server making unexpected outbound connections
- Requests to cloud metadata endpoints (169.254.169.254, etc.)
- Connections to internal services not typically accessed
SIEM Query:
source="liferay" AND (url="*metadata*" OR dest_ip=169.254.169.254 OR dest_ip IN [internal_ranges])