CVE-2025-43750 — Liferay Portal Unvalidated File Upload

Description

Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.1, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 and 7.4 GA through update 92 allows remote unauthenticated users (guests) to upload files via the form attachment field without proper validation, enabling extension obfuscation and bypassing MIME type checks.

How to fix CVE-2025-43750

To remediate CVE-2025-43750, upgrade the affected package to a fixed version below.

Maven/com.liferay:com.liferay.dynamic.data.mapping.form.web—upgrade to 4.0.180 or later

Is CVE-2025-43750 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 4.0.180

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-43750
PATCHgithub.com/liferay/liferay-portal
WEBgithub.com/liferay/liferay-portal/commit/7f58439723c8373e038d5060d0bc58ff2475bdc5
WEBgithub.com/liferay/liferay-portal/commit/b9e57377cb88bad1775beab50558cc2bd5a9758e