CVE-2025-43786: 
Java vulnerability analysis and mitigation

CVE-2025-43786 is a vulnerability discovered in Liferay Portal and DXP that allows attackers to enumerate ERC (Entity Resource Class) through time response analysis. The vulnerability was disclosed in December 2024 and affects multiple versions of Liferay Portal 7.4.0 through 7.4.3.128, and Liferay DXP versions including 2024.Q3.0 through 2024.Q3.1, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 and 7.4 GA through update 92 (Liferay Security).

The vulnerability allows attackers to determine existent ERC in the application by exploiting time response differences. It has been assigned a CVSS v4.0 score of 6.9 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD Database).

The vulnerability enables attackers to enumerate and identify existing Entity Resource Classes within the Liferay application by analyzing time responses. This information disclosure could potentially be used as a stepping stone for further attacks (Liferay Security).

Organizations should upgrade to the fixed versions: Liferay Portal 7.4.3.129, Liferay DXP 2024.Q1.13, Liferay DXP 2024.Q3.2, or Liferay DXP 2024.Q4.0 (Liferay Security).