CVE-2025-43745: 
Java vulnerability analysis and mitigation

CVE-2025-43745 is a Cross-Site Request Forgery (CSRF) vulnerability discovered in Liferay Portal and Liferay DXP. The vulnerability was disclosed on August 5, 2025, affecting multiple versions of Liferay Portal (7.4.0 through 7.4.3.132) and Liferay DXP versions ranging from 2024.Q1.1 through 2025.Q2.7. This security flaw allows remote attackers to perform cross-origin requests on behalf of authenticated users by exploiting the endpoint parameter (Liferay Advisory).

The vulnerability has been assigned a CVSS v4.0 base score of 6.9 (Medium), with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery). The technical assessment indicates that the vulnerability requires user interaction but can be exploited remotely without authentication privileges (NVD).

The vulnerability enables attackers to execute unauthorized cross-origin requests by leveraging the authenticated user's session. This could potentially lead to unauthorized actions being performed on behalf of authenticated users, compromising the integrity of user sessions and potentially exposing sensitive information (Liferay Advisory).

Fixed versions have been released to address this vulnerability. Users should upgrade to Liferay DXP 2025.Q2.8, 2025.Q1.16, or the latest version on the master branch for Liferay Portal. The vulnerability has been patched in these versions to prevent CSRF attacks via the endpoint parameter (Liferay Advisory).

The vulnerability was initially reported by security researcher NDIx, demonstrating the active involvement of the security community in identifying and reporting Liferay vulnerabilities (Liferay Advisory).