CVE-2025-43825 Sensible user data available to freemarker template

Description

A vulnerability in Liferay Portal and Liferay DXP allows sensitive user data to be included in the Freemarker template. This weakness permits an unauthorized actor to gain access to, and potentially render, confidential information that should remain restricted.

Severity

4.6 (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N)

Affected Version(s)

  • Liferay Portal 7.4.0 through 7.4.3.132
  • Liferay DXP 7.4
  • Liferay DXP 2023.Q3
  • Liferay DXP 2023.Q4
  • Liferay DXP 2024.Q1.1 through 2024.Q1.12
  • Liferay DXP 2024.Q2
  • Liferay DXP 2024.Q3
  • Liferay DXP 2024.Q4.0 through 2024.Q4.5
  • Liferay DXP 2025.Q1.1 through 2025.Q1.4

Fixed Version(s)

  • Liferay Portal fixed on master branch
  • Liferay DXP 2024.Q1.13
  • Liferay DXP 2024.Q4.6
  • Liferay DXP 2025.Q1.5
  • Liferay DXP 2025.Q2.0

Publication date: Fri, 03 Oct 2025 09:08:00 +0000

Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.