CVE-2025-43789: Liferay Portal JSON Web Services Direct Class Invocation Enables Service Access Policy Execution

The vulnerability, described as 'JSON Web Services Direct Class Invocation Enables Service Access Policy Execution', stems from a misconfiguration in how certain JSON web services were registered within Liferay Portal. Instead of being registered in a way that allowed Liferay's Aspect-Oriented Programming (AOP) framework to proxy them and apply security policies, the service classes were invoked directly. This effectively bypassed the intended Service Access Policy (SAP) checks, creating an authorization vulnerability.

The analysis of the provided patches confirms this root cause. The commits consistently modify the service implementation classes to ensure they are correctly intercepted by the AOP framework. Two primary patterns were observed in the patches:

1. Introducing an Interface: For com.liferay.comment.web.internal.jsonws.CommentManagerJSONWSImpl, the fix involved creating a new interface (CommentManagerJSONWS) and having the implementation class implement it. The commit message LPD-4056 An interface is required to be able to proxy explicitly states that this change was necessary to enable proxying, which is the mechanism for applying AOP advices like security checks.

2. Implementing AopService: For com.liferay.commerce.internal.country.CommerceCountryManagerImpl, the fix was to make the class implement the AopService interface and change its component registration. This directly hooks the class into the AOP system, ensuring its methods are intercepted as intended. The commit message LPD-4056 Ensure CommerceCountryManagerImpl is intercepted by advices confirms this.

Therefore, the vulnerable functions are the public methods within these service classes that were exposed via JSON-WS. During exploitation, a runtime profiler would show calls to these methods, which, prior to the patch, would have been executed without the proper authorization checks being performed by the AOP framework.