CVE-2025-43798: 
Java vulnerability analysis and mitigation

Liferay DXP contains a vulnerability (CVE-2025-43798) that allows time-based one-time passwords (TOTP) to be reused multiple times during their validity period. The vulnerability affects multiple versions including DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, and 7.3 GA through update 35. This authentication bypass flaw was disclosed on September 15, 2025 (Liferay Advisory, NVD).

The vulnerability stems from a missing critical step in authentication (CWE-304) where the system fails to properly invalidate TOTP codes after their first use. The vulnerability has been assigned a CVSS 4.0 base score of 2.1 (Low) with the vector string CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N, indicating that while the vulnerability is network accessible, it requires high attack complexity and user interaction (NVD).

The vulnerability allows attackers who have intercepted or obtained a valid TOTP code to reuse it multiple times during its validity window, effectively bypassing the one-time nature of the authentication mechanism. This could lead to unauthorized access to user accounts if an attacker manages to capture a valid TOTP code (Liferay Advisory).

Liferay has released patched versions to address this vulnerability. Users should upgrade to one of the following fixed versions: Liferay DXP 2024.Q1.1, DXP 2023.Q4.1, DXP 2023.Q3.5, or DXP 7.3 U36 (Liferay Advisory).