CVE-2025-43813: 
Java vulnerability analysis and mitigation

A path traversal vulnerability and denial-of-service (CVE-2025-43813) was discovered in the ComboServlet component of Liferay Portal and Liferay DXP. The vulnerability affects Liferay Portal versions 7.4.0 through 7.4.3.107, 7.3.0 through 7.3.7, and Liferay DXP versions 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and 7.3 GA through update 35. The vulnerability was disclosed on October 24, 2024 (Liferay Advisory).

The vulnerability exists in the ComboServlet component and allows remote attackers to access arbitrary CSS and JSS files and load these files multiple times via the query string in a URL. The vulnerability has been assigned a CVSS v4.0 score of 6.9 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N (Liferay Advisory).

The vulnerability allows attackers to perform path traversal attacks to access arbitrary CSS and JSS files on the system. Additionally, attackers can trigger denial-of-service conditions by loading these files multiple times through the query string parameter (Liferay Advisory).

Fixed versions have been released to address this vulnerability. Users should upgrade to Liferay Portal version 7.4.3.108, Liferay DXP 2024.Q1.1, Liferay DXP 2023.Q4.5, Liferay DXP 2023.Q3.9, or Liferay DXP 7.3 U36 (Liferay Advisory).