CVE-2025-43750
📋 TL;DR
This vulnerability allows unauthenticated remote users (including guest users) to upload malicious files to Liferay Portal/DXP systems by bypassing file extension and MIME type validation. Attackers can upload files with obfuscated extensions that evade security checks, potentially leading to arbitrary file upload and subsequent code execution. All Liferay Portal 7.4.0-7.4.3.132 and Liferay DXP 2025.Q1.0-2025.Q1.1, 2024.Q4.0-2024.Q4.7, 2024.Q3.1-2024.Q3.13, 2024.Q2.0-2024.Q2.13, 2024.Q1.1-2024.Q1.14, and 7.4 GA-update 92 installations are affected.
💻 Affected Systems
- Liferay Portal
- Liferay DXP
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data exfiltration, or ransomware deployment via uploaded malicious files that execute on the server.
Likely Case
File upload leading to web shell deployment, data manipulation, or denial of service through file system exhaustion.
If Mitigated
Limited impact with proper file validation, restricted guest permissions, and network segmentation preventing file execution.
🎯 Exploit Status
Exploitation requires crafting files with obfuscated extensions to bypass validation, but no authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Liferay Portal 7.4.3.133+, Liferay DXP 2025.Q1.2+, 2024.Q4.8+, 2024.Q3.14+, 2024.Q2.14+, 2024.Q1.15+, 7.4 update 93+
Vendor Advisory: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43750
Restart Required: No
Instructions:
1. Download appropriate fix pack from Liferay Customer Portal. 2. Apply fix pack following Liferay documentation. 3. Verify patch application via version check. 4. Test form attachment functionality.
🔧 Temporary Workarounds
Disable guest file uploads
allRemove guest permissions for form attachment fields in Liferay configuration
Navigate to Control Panel > Configuration > Permissions > Site Settings > Guest Permissions
Disable 'Add Document' and 'Add File' permissions for Guest role
Implement WAF file upload filtering
allConfigure web application firewall to block suspicious file uploads
Configure WAF rules to inspect Content-Type headers
Block uploads with double extensions or suspicious MIME types
🧯 If You Can't Patch
- Disable all form attachment functionality for guest/unauthenticated users
- Implement strict file upload validation at network perimeter (WAF/proxy)
🔍 How to Verify
Check if Vulnerable:
Check Liferay version via Control Panel > Server Administration > Properties > liferay.versionCheck Version:
Check liferay.version property in portal-ext.properties or via Control PanelVerify Fix Applied:
Verify version is patched (7.4.3.133+ for Portal, appropriate fix pack for DXP) and test file upload with obfuscated extensions📡 Detection & Monitoring
Log Indicators:
- Multiple failed file upload attempts from guest users
- Successful uploads with unusual file extensions
- Files with double extensions (.jpg.php, .pdf.exe)
Network Indicators:
- HTTP POST requests to /api/jsonws/dlapp/add-file with guest authentication
- Uploads with mismatched Content-Type and file extension
SIEM Query:
source="liferay.log" AND ("add-file" OR "upload") AND user="guest" AND (extension="php" OR extension="exe" OR extension="jsp")