N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-43793

CVE-2025-43793: Liferay Portal has Improper Validation of Specified Quantity in Input

Liferay Portal 7.4.0 through 7.4.3.105, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions may incorrectly identify the subdomain of a domain name and create a supercookie, which allows remote attackers who control a website that share the same TLD to read cookies set by the application.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-43793

CVE-2025-43793:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.liferay.portal:com.liferay.portal.impl	maven	< 96.0.0	96.0.0
com.liferay.portal:com.liferay.portal.kernel	maven	< 130.0.1	130.0.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability, CVE-2025-43793, lies in the improper validation of domain names when setting cookies, which can result in the creation of a 'supercookie'. This supercookie has a broader domain scope than intended, making it accessible to other websites under the same Top-Level Domain (TLD). This could allow a malicious actor who controls another website under the same TLD to access the cookies set by the vulnerable Liferay Portal instance, potentially leading to session hijacking or other information disclosure.

The analysis of the patches between the last vulnerable version (7.4.3.105) and the first patched version (7.4.3.106) revealed a key commit that addresses this issue. The commit 3d9576707ca5e41ca2e14ae0bb8826a5fba8ac9c directly targets the logic for domain parsing.

The root cause of the vulnerability was identified in the com.liferay.cookies.internal.manager.CookiesManagerImpl.getDomain function. The original code used a manual and incorrect method of parsing the domain from a hostname by searching for periods. This logic did not correctly account for public suffixes (e.g., .com, .co.uk), leading to the creation of cookies for these broad domains.

The patch rectifies this by replacing the flawed manual parsing with Google's Guava library's InternetDomainName class. This library is specifically designed to handle domain names and public suffixes correctly, ensuring that cookies are set for the appropriate private domain and preventing the creation of supercookies. Therefore, the getDomain function in com.liferay.cookies.internal.manager.CookiesManagerImpl is the vulnerable function that would be observed in a runtime profile when this vulnerability is triggered.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-43793: Liferay Portal has Improper Validation of Specified Quantity in Input

CVE-2025-43793:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2025-43793: Liferay Portal has Improper Validation of Specified Quantity in Input

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

N/A

N/A

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI