CVE-2025-43749: 
Java vulnerability analysis and mitigation

Liferay Portal and DXP are affected by a security vulnerability (CVE-2025-43749) that allows unauthenticated users (guests) to access files uploaded in forms and stored in the documentlibrary via URL before form submission. The vulnerability was discovered and disclosed on August 20, 2025, affecting multiple versions including Liferay Portal 7.4.0 through 7.4.3.132, and various Liferay DXP versions from 2024.Q1.1 through 2025.Q1.1 ([Liferay Advisory](https://liferay.dev/portal/security/known-vulnerabilities/-/assetpublisher/jekt/content/CVE-2025-43749), NVD).

The vulnerability has been assigned a CVSS v4.0 Base Score of 5.3 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N. The weakness is categorized as CWE-552 (Files or Directories Accessible to External Parties). The vulnerability allows unauthorized access to files that should be restricted until proper form submission (Liferay Advisory).

The vulnerability enables unauthenticated users to access files stored in the document_library that should be restricted, potentially leading to unauthorized access to sensitive information. The CVSS scoring indicates low confidentiality impact but demonstrates that the vulnerability can be exploited over the network (NVD).

Fixed versions have been released including Liferay Portal fixed on master branch, Liferay DXP 2025.Q2.0, Liferay DXP 2025.Q1.2, and Liferay DXP 2024.Q1.15. Users are advised to upgrade to these patched versions to mitigate the vulnerability (Liferay Advisory).