CVE-2025-43819: 
Java vulnerability analysis and mitigation

A Insufficient Session Expiration vulnerability (CVE-2025-43819) was discovered in Liferay Portal versions 7.4.3.121 through 7.3.3.131, and Liferay DXP versions 2024.Q4.0 through 2024.Q4.3, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, and 2024.Q1.1 through 2024.Q1.12. The vulnerability allows a remote non-authenticated attacker to reuse old user sessions through the SLO API. This vulnerability was disclosed on September 23, 2025 (Liferay Advisory).

The vulnerability is classified as an Insufficient Session Expiration issue (CWE-613) that affects the session management functionality in Liferay's SLO (Single Logout) API. The vulnerability has received a CVSS v4.0 Base Score of 5.3 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N, indicating network accessibility with low attack complexity and no user interaction required (NVD).

The vulnerability allows attackers to reuse old user sessions, potentially leading to unauthorized access to user accounts and sensitive information. The impact is reflected in the CVSS scoring which indicates low impact on both confidentiality and integrity, with no impact on availability (Liferay Advisory).

Organizations are advised to upgrade to the fixed versions: Liferay Portal 7.4.3.132, Liferay DXP 2025.Q1.0, Liferay DXP 2024.Q1.13, or Liferay DXP 2024.Q4.4 (Liferay Advisory, CERT-FR).

The French national cybersecurity agency (CERT-FR) has issued a security advisory (CERTFR-2025-AVI-0815) regarding this vulnerability, highlighting its significance in the cybersecurity community (CERT-FR).