CVE-2025-43808
📋 TL;DR
This vulnerability allows remote attackers to access and download virtual products for free in Liferay Commerce by exploiting incorrect permission settings on uploaded files. Attackers can use crafted URLs to bypass payment requirements. Affected systems include Liferay Portal 7.3.0-7.4.3.112 and Liferay DXP multiple versions from 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and 7.3 service pack 3 through update 35.
💻 Affected Systems
- Liferay Portal
- Liferay DXP
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete loss of revenue from virtual product sales as all customers download products without payment, potential data exposure if virtual products contain sensitive information.
Likely Case
Unauthorized users download virtual products without payment, causing direct revenue loss for affected products.
If Mitigated
Minimal impact with proper access controls and monitoring in place to detect unauthorized downloads.
🎯 Exploit Status
Exploitation requires knowledge of virtual product URLs but is straightforward once identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Liferay Portal 7.4.3.113+, Liferay DXP 2023.Q4.9+, 2023.Q3.11+, 7.4 update 93+, 7.3 update 36+
Vendor Advisory: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43808
Restart Required: No
Instructions:
1. Apply the appropriate patch version for your Liferay installation. 2. Verify the patch is applied correctly. 3. Test virtual product downloads to ensure proper permission enforcement.
🔧 Temporary Workarounds
Manual Permission Adjustment
allManually adjust permissions on Documents and Media folders containing virtual products to remove guest view access.
Navigate to Control Panel > Documents and Media > select folder > Permissions > remove Guest view permission
Access Control via Web Server
allConfigure web server (Apache/Nginx) to block direct access to virtual product URLs for unauthenticated users.
Add URL filtering rules in web server configuration to require authentication for /documents/d/ paths
🧯 If You Can't Patch
- Implement strict access controls on Documents and Media folders containing virtual products
- Monitor download logs for unauthorized access patterns and implement alerting
🔍 How to Verify
Check if Vulnerable:
Test if virtual products can be downloaded without authentication using direct URLs. Check Liferay version against affected ranges.Check Version:
Check Liferay version via Control Panel > Server Administration > Properties or via server logsVerify Fix Applied:
Verify virtual products require proper authentication after patch. Confirm version is updated to patched version.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to /documents/d/ paths
- Guest user downloads of virtual product files
- High volume of downloads from unauthenticated IPs
Network Indicators:
- Unusual download patterns for virtual product files
- Direct URL access attempts without authentication headers
SIEM Query:
source="liferay.log" AND ("Guest" OR "anonymous") AND ("/documents/d/" OR "virtual product") AND ("download" OR "access")