CVE-2025-43789
📋 TL;DR
This vulnerability in Liferay Portal/DXP allows JSON Web Services to be invoked directly as classes, bypassing intended Service Access Policy controls. This could enable unauthorized access to restricted functionality. Affected systems include Liferay Portal 7.4.0-7.4.3.119 and Liferay DXP 2024.Q1.1-2024.Q1.9/7.4 GA-update 92.
💻 Affected Systems
- Liferay Portal
- Liferay DXP
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could bypass security policies to execute unauthorized operations, potentially accessing sensitive data or performing administrative actions.
Likely Case
Unauthorized users gain access to restricted JSON web services they shouldn't be able to invoke, leading to information disclosure or limited privilege escalation.
If Mitigated
With proper network segmentation and access controls, impact is limited to internal service abuse rather than external compromise.
🎯 Exploit Status
Exploitation requires understanding of Liferay's JSON web service architecture and existing access to invoke services
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Liferay Portal 7.4.3.120+, Liferay DXP 2024.Q1.10+ or 7.4 update 93+
Vendor Advisory: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43789
Restart Required: No
Instructions:
1. Apply the latest security fix pack from Liferay's customer portal. 2. For Liferay Portal, upgrade to 7.4.3.120 or later. 3. For Liferay DXP, apply fix pack 2024.Q1.10 or update 93+. 4. No server restart required for hotfix deployment.
🔧 Temporary Workarounds
Disable JSON Web Services
allTemporarily disable JSON web services if not required for functionality
Set portal property: json.web.service.enabled=false in portal-ext.properties
Restrict Service Access Policies
allTighten Service Access Policy configurations to limit exposure
Review and update Service Access Policy configurations in Control Panel > Configuration > System Settings > Security > Service Access Policy
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach Liferay JSON endpoints
- Enable detailed auditing of JSON web service invocations and monitor for unauthorized access patterns
🔍 How to Verify
Check if Vulnerable:
Check Liferay version via Control Panel > Server Administration > Properties, or run: grep -i "liferay.version" $LIFERAY_HOME/tomcat-*/webapps/ROOT/WEB-INF/liferay-plugin-package.propertiesCheck Version:
Check Control Panel > Server Administration > Properties, or examine liferay-plugin-package.properties fileVerify Fix Applied:
Verify version is updated to non-vulnerable version and test that Service Access Policies are properly enforced on JSON web services📡 Detection & Monitoring
Log Indicators:
- Unauthorized JSON web service invocation attempts
- Service Access Policy violation logs
- Unexpected access patterns to /api/jsonws endpoints
Network Indicators:
- Unusual traffic to /api/jsonws endpoints from unauthorized sources
- Patterns of JSON web service calls bypassing normal authentication flows
SIEM Query:
source="liferay" AND (uri_path="/api/jsonws/*" OR message="Service Access Policy") AND (user="anonymous" OR result="denied")