CVE-2025-43745: 
Java vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability, identified as CVE-2025-43745, was discovered in Liferay Portal and Liferay DXP. The vulnerability was disclosed on August 19, 2025, affecting multiple versions including Liferay Portal 7.4.0 through 7.4.3.132, and various Liferay DXP versions from 2024.Q1 through 2025.Q2 (NVD, Liferay Advisory).

The vulnerability allows remote attackers to perform cross-origin requests on behalf of authenticated users through the exploitation of the endpoint parameter. The severity of this vulnerability has been assessed with a CVSS v4.0 Base Score of 6.9 (Medium), with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N. The vulnerability is classified as CWE-352 (Cross-Site Request Forgery) (NVD, Liferay Advisory).

The vulnerability enables attackers to execute unauthorized actions by exploiting the authenticated user's session, potentially leading to unauthorized state-changing operations within the application. The CVSS scoring indicates high potential impact on confidentiality while maintaining normal levels of integrity and availability (Liferay Advisory).

Fixed versions have been released to address this vulnerability. Organizations should upgrade to Liferay Portal fixed on master branch, Liferay DXP 2025.Q2.8, or Liferay DXP 2025.Q1.16. These updates contain the necessary security patches to remediate the CSRF vulnerability (Liferay Advisory).

The vulnerability was initially reported by security researcher NDIx and has been acknowledged by multiple security organizations including CERT-FR, which included it in their security advisory along with other Liferay vulnerabilities (CERT-FR).