CVE-2025-43747 SSRF in Analytics Cloud domain validation

Description

A server-side request forgery (SSRF) vulnerability exists in the Liferay DXP due to insecure domain validation on analytics.cloud.domain.allowed, allowing an attacker to perform requests by change the domain and bypassing the validation method, this insecure validation is not distinguishing between trusted subdomains and malicious domains.

Severity

4.8 (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N)

Affected Version(s)

  • Liferay DXP 2025.Q2.0 through 2025.Q2.3

Fixed Version(s)

  • Liferay Portal fixed on master branch
  • Liferay DXP 2025.Q2.4

Publication date: Mon, 18 Aug 2025 17:19:00 +0000

Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.

Community
Company
Feedback
Copyright © 2025 Liferay, IncPrivacy Policy

Powered by Liferay™