CVE-2025-43763 SSRF in custom objects attachment fields

Description

A server-side request forgery (SSRF) vulnerability exist in the Liferay Portal and Liferay DXP that affects custom object attachment fields. This flaw allows an attacker to manipulate the application into making unauthorized requests to other instances, creating new object entries that link to external resources.

Severity

4.8 (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N)

Affected Version(s)

Liferay Portal 7.4.0 through 7.4.3.129
Liferay DXP 2024.Q4.0 through DXP 2024.Q4.7
Liferay DXP 2024.Q3.0 through DXP 2024.Q3.13
Liferay DXP 2024.Q2.0 through DXP 2024.Q2.13
Liferay DXP 2024.Q1.1 through DXP 2024.Q1.20

Fixed Version(s)

Liferay Portal 7.4.3.132
Liferay DXP 2025.Q1.0
Liferay DXP 2025.Q2.0

Publication date: Mon, 08 Sep 2025 11:27:00 +0000

Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.

Community

Company

Feedback

Known Vulnerabilities

Releases

Description

Severity

Affected Version(s)

Fixed Version(s)