CVE-2025-43749 – This vulnerability allows unauthenticated users... (How to Fix)

Q: What is the severity of CVE-2025-43749?

CVE-2025-43749 has a CVSS score of 5.3 (MEDIUM). This vulnerability allows unauthenticated users (guests) to access files uploaded via forms and stored in Liferay's document library by manipulating URLs. It affects Liferay Portal 7.4.0-7.4.3.132 and multiple Liferay DXP versions from 2024.Q1 through 2025.Q1.1.

📋 TL;DR

This vulnerability allows unauthenticated users (guests) to access files uploaded via forms and stored in Liferay's document library by manipulating URLs. It affects Liferay Portal 7.4.0-7.4.3.132 and multiple Liferay DXP versions from 2024.Q1 through 2025.Q1.1.

💻 Affected Systems

Products:

Liferay Portal
Liferay DXP

Versions: Liferay Portal 7.4.0 through 7.4.3.132; Liferay DXP 2025.Q1.0 through 2025.Q1.1, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems with forms that allow file uploads to document library.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthenticated attackers could access sensitive files containing confidential information, credentials, or proprietary data uploaded through forms.

🟠

Likely Case

Information disclosure of files uploaded via forms that were intended to be private or restricted.

🟢

If Mitigated

Limited exposure if files uploaded via forms contain only non-sensitive information.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires URL manipulation but no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Liferay Portal 7.4.3.133+, Liferay DXP 2025.Q1.2+, 2024.Q4.8+, 2024.Q3.14+, 2024.Q2.14+, 2024.Q1.15+

Vendor Advisory: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43749

Restart Required: No

Instructions:

1. Download appropriate fix pack from Liferay Customer Portal. 2. Apply fix pack following Liferay documentation. 3. Verify version update.

🔧 Temporary Workarounds

Restrict guest access to document library

all

Configure permissions to prevent guest users from accessing document library files.

Navigate to Control Panel > Users > Roles > Guest > Define Permissions > Site Content > Documents and Media > View

Disable file uploads for guest users

all

Remove file upload capability from forms accessible to unauthenticated users.

Edit form permissions to restrict 'Add Document' permission for Guest role

🧯 If You Can't Patch

Implement strict access controls on document library folders containing uploaded files
Monitor access logs for unauthorized file access attempts

🔍 How to Verify

Check if Vulnerable:

Check if unauthenticated users can access files uploaded via forms by testing URL access to document library files.

Check Version:

Check Liferay version via Control Panel > Server Administration > Properties > liferay.home/build.properties

Verify Fix Applied:

After patching, verify that unauthenticated users cannot access files uploaded via forms through URL manipulation.

📡 Detection & Monitoring

Log Indicators:

Unauthenticated access attempts to document library files
403 errors for guest users accessing restricted files

Network Indicators:

Unusual file download patterns from document library by unauthenticated IPs

SIEM Query:

source="liferay" AND (uri_path="/documents/d/*" OR uri_path="/documents/*") AND user="guest"

📊 Metadata

CVE ID: CVE-2025-43749

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-552

EPSS Score: 0.07% exploit probability (21.4th percentile)

Published: August 20, 2025

Last Updated: December 16, 2025

🔗 References

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43749 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-43749, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Digital Experience Platform by Liferay

Digital Experience Platform by Liferay

Digital Experience Platform by Liferay

Digital Experience Platform by Liferay

Digital Experience Platform by Liferay

Digital Experience Platform by Liferay

Liferay Portal by Liferay

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict guest access to document library

Disable file uploads for guest users

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities