CVE-2025-43751 — Liferay Portal User Enumeration Vulnerability via the Create Account Page

Description

User enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10 and 7.4 GA through update 92 allows remote attackers to determine if an account exist in the application via the create account page.

How to fix CVE-2025-43751

To remediate CVE-2025-43751, upgrade the affected package to a fixed version below.

—upgrade to 6.0.66 or later

Is CVE-2025-43751 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 6.0.66

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

References (12)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-43751
PATCHgithub.com/liferay/liferay-portal
WEBgithub.com/liferay/liferay-portal/commit/097597e31b596295cb993bac596a42f06ac1e6d8
WEBgithub.com/liferay/liferay-portal/commit/1205e7bbcc31c40180935044d39ebf158b5256e1