CVE-2025-43798: Liferay DXP Missing Critical Step in Authentication

September 15, 2025 (updated November 10, 2025)

Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA through update 35 allows a time-based one-time password (TOTP) to be used multiple times during the validity period, which allows attackers with access to a user’s TOTP to authenticate as the user.

References

github.com/advisories/GHSA-4p5r-3jmm-652q
github.com/liferay/liferay-portal
github.com/liferay/liferay-portal/commit/1df25e46675afe7c3a2754bf8968bcb9677db950
liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43798
nvd.nist.gov/vuln/detail/CVE-2025-43798

Code Behaviors & Features

Detect and mitigate CVE-2025-43798 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →