N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-43745

GHSA ID

GHSA-7q33-gwcm-r6cj

EPSS Score

0.14488%

CWE

CWE-352

Published

8/19/2025

Updated

8/20/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-43745

CVE-2025-43745: Liferay Portal CSRF Vulnerability via Endpoint Parameter

A CSRF vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.7, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 and 7.4 GA through update 92 allows remote attackers to performs cross-origin request on behalf of the authenticated user via the endpoint parameter.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-43745

GHSA ID

GHSA-7q33-gwcm-r6cj

EPSS Score

0.14488%

CWE

CWE-352

Published

8/19/2025

Updated

8/20/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.liferay.portal:release.portal.bom	maven	>= 7.4.0-ga1, <= 7.4.3.132-ga132

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a classic CSRF issue where the application fails to validate the origin of a request. The provided commits clearly show that the APIGUI.js component was modified to fix this issue. Specifically, the useEffect hook within this component was changed to correctly parse the origin of the URL from the endpoint parameter. The original implementation was flawed, allowing an attacker to craft a malicious URL that would be processed by the application, leading to unauthorized actions. The patch addresses this by using the URL API to reliably extract the origin, ensuring that only requests from trusted sources are processed. The addition of a functional test in a separate commit further confirms that the fix is effective. Therefore, the APIGUI component is the primary vulnerable function, and the useEffect hook is the specific location of the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *SR* vuln*r**ility in Li**r*y Port*l *.*.* t*rou** *.*.*.***, *n* Li**r*y *XP ****.Q*.* t*rou** ****.Q*.*, ****.Q*.* t*rou** ****.Q*.**, ****.Q*.* t*rou** ****.Q*.*, ****.Q*.* t*rou** ****.Q*.**, ****.Q*.* t*rou** ****.Q*.**, ****.Q*.* t*rou** ****

Reasoning

T** vuln*r**ility is * *l*ssi* *SR* issu* w**r* t** *ppli**tion **ils to v*li**t* t** ori*in o* * r*qu*st. T** provi*** *ommits *l**rly s*ow t**t t** `*PI*UI.js` *ompon*nt w*s mo*i*i** to *ix t*is issu*. Sp**i*i**lly, t** `us******t` *ook wit*in t*is

N/A

Basic Information

Concerned about an active attack path?

CVE-2025-43745: Liferay Portal CSRF Vulnerability via Endpoint Parameter

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI