CVE-2025-43790 — Liferay Portal is vulnerable to Insecure Direct Object Reference (IDOR) attack t

Description

An Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.6, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows remote authenticated users to from one virtual instance to access, create, edit, relate data/object entries/definitions to an object in a different virtual instance.

How to fix CVE-2025-43790

To remediate CVE-2025-43790, upgrade the affected package to a fixed version below.

—upgrade to 1.0.197 or later

Is CVE-2025-43790 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.0.197

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-43790
WEBgithub.com/liferay/liferay-portal
WEBgithub.com/liferay/liferay-portal/commit/66b9a7dc4d40a10dec03e169ca8735add81e9bd9
WEBliferay.atlassian.net/browse/LPE-18065