CVE-2025-43759 — Liferay Portal users are able to add system admin portlets to pages

Description

Liferay Portal versions 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows admin users of a virtual instance to add pages that are not in the default/main virtual instance, then any tenant can create a list of all other tenants.

How to fix CVE-2025-43759

To remediate CVE-2025-43759, upgrade the affected package to a fixed version below.

Maven/com.liferay:com.liferay.layout.impl—upgrade to 6.0.147 or later

Is CVE-2025-43759 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 6.0.147

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-43759
PATCHgithub.com/liferay/liferay-portal
WEBgithub.com/liferay/liferay-portal/commit/2e29e6733bc0e058bef89d16faac542bf2585346
WEBgithub.com/liferay/liferay-portal/commit/e8cbc7c27e5ed51c4079dd62738713f31afb46f7