CVE-2025-43805: Liferay Portal allows remote attackers to view display page templates via crafted URLs

September 17, 2025 (updated November 10, 2025)

Liferay Portal 7.3.0 through 7.4.3.111, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, and 7.3 GA through update 35 does not perform an authorization check when users attempt to view a display page template, which allows remote attackers to view display page templates via crafted URLs.

References

github.com/advisories/GHSA-5pp7-m8x8-rc82
github.com/liferay/liferay-portal/compare/7.4.3.111-ga111...7.4.3.112-ga112
liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43805
nvd.nist.gov/vuln/detail/CVE-2025-43805

Code Behaviors & Features

Detect and mitigate CVE-2025-43805 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →