N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-43763

GHSA ID

GHSA-477q-x55m-j38g

EPSS Score

0.08876%

CWE

CWE-918

Published

9/9/2025

Updated

9/10/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-43763

CVE-2025-43763: Liferay Portal is vulnerable to SSRF through custom object attachment fields

A server-side request forgery (SSRF) vulnerability exist in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.20 that affects custom object attachment fields. This flaw allows an attacker to manipulate the application into making unauthorized requests to other instances, creating new object entries that link to external resources.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-43763

GHSA ID

GHSA-477q-x55m-j38g

EPSS Score

0.08876%

CWE

CWE-918

Published

9/9/2025

Updated

9/10/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.liferay:com.liferay.object.service	maven	< 1.0.208	1.0.208

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis of the provided commits clearly indicates that the vulnerability lies within the getOrAddFileEntry method of the AttachmentManagerImpl class. The patches from commits e5fe3f9e9916e66a896e7c321e641c6eabbf4dae and 0adf32842d055f40accc8b341c4feb11a9728261 both target this specific function to add validation logic. The core of the vulnerability is the lack of validation on the companyId of the FileEntry object that is fetched using an externalReferenceCode. This allows an attacker to specify an external reference that points to a resource outside of the intended scope, leading to an SSRF vulnerability. The added code explicitly checks if the companyId of the fetched resource matches the current companyId, thereby closing the security gap. Therefore, any runtime profile capturing the exploitation of this vulnerability would show the com.liferay.object.internal.field.attachment.AttachmentManagerImpl.getOrAddFileEntry function in the stack trace as it is the entry point for processing the malicious input.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* s*rv*r-si** r*qu*st *or**ry (SSR*) vuln*r**ility *xist in t** Li**r*y Port*l *.*.* t*rou** *.*.*.***, *n* Li**r*y *XP ****.Q*.* t*rou** ****.Q*.*, ****.Q*.* t*rou** ****.Q*.**, ****.Q*.* t*rou** ****.Q*.** *n* ****.Q*.* t*rou** ****.Q*.** t**t ***

Reasoning

T** *n*lysis o* t** provi*** *ommits *l**rly in*i**t*s t**t t** vuln*r**ility li*s wit*in t** `**tOr****il**ntry` m*t*o* o* t** `*tt***m*ntM*n***rImpl` *l*ss. T** p*t***s *rom *ommits `****************************************` *n* `******************

N/A

Basic Information

Concerned about an active attack path?

CVE-2025-43763: Liferay Portal is vulnerable to SSRF through custom object attachment fields

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI