CVE-2025-43784
📋 TL;DR
This CVE describes an improper access control vulnerability in Liferay Portal and DXP where guest users (unauthenticated users) can access object entries information via the API Builder. This affects Liferay Portal 7.4.0-7.4.3.124 and Liferay DXP 2024.Q2.0-2024.Q2.8, 2024.Q1.1-2024.Q1.12, and 7.4 GA-update 92.
💻 Affected Systems
- Liferay Portal
- Liferay DXP
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Guest users could access sensitive object entry data including potentially confidential business information, user data, or configuration details exposed through API Builder endpoints.
Likely Case
Unauthenticated users can enumerate and retrieve object entry metadata and content that should be restricted to authenticated users.
If Mitigated
If proper access controls are implemented, guest users would only see publicly accessible data as intended.
🎯 Exploit Status
Exploitation requires no authentication and involves simple API calls to API Builder endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Liferay Portal 7.4.3.125+, Liferay DXP 2024.Q2.9+, 2024.Q1.13+, 7.4 update 93+
Vendor Advisory: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43784
Restart Required: No
Instructions:
1. Download the appropriate fix pack from Liferay's customer portal. 2. Apply the fix pack following Liferay's deployment procedures. 3. Verify the patch is applied by checking version numbers.
🔧 Temporary Workarounds
Disable API Builder for guest users
allConfigure permissions to restrict API Builder access to authenticated users only
Navigate to Control Panel > Users > Roles > Guest > Define Permissions > Site Administration > Content > Object > API Builder > Remove VIEW permission
Restrict object entry permissions
allConfigure individual object entry permissions to restrict guest user access
Navigate to Control Panel > Objects > [Specific Object] > Permissions > Remove VIEW permission for Guest role
🧯 If You Can't Patch
- Implement network-level restrictions to block API Builder endpoints from external access
- Deploy a web application firewall (WAF) with rules to detect and block unauthorized API Builder requests
🔍 How to Verify
Check if Vulnerable:
As an unauthenticated user, attempt to access API Builder endpoints (typically /o/api/*) and check if object entry data is returned.Check Version:
Check Liferay version via Control Panel > Server Administration > Properties > liferay.versionVerify Fix Applied:
After patching, verify that unauthenticated requests to API Builder endpoints return proper access denied responses.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated requests to /o/api/* endpoints returning 200 OK
- Guest user access to object entry APIs in audit logs
Network Indicators:
- Unusual volume of unauthenticated API requests to API Builder endpoints
- External IPs accessing object entry APIs
SIEM Query:
source="liferay" AND (uri_path="/o/api/*" OR uri_path="/api/*") AND http_status=200 AND user="guest"