CVE-2025-43732 — Liferay Portal Vulnerable to Insecure Direct Object Reference

Description

Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.10, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.17 and 7.4 GA through update 92 is vulnerable to Insecure Direct Object Reference (IDOR) in the groupId parameter of the _com_liferay_roles_selector_web_portlet_RolesSelectorPortlet_groupId. When an organization administrator modifies this parameter id value, they can gain unauthorized access to user lists from other organizations.

How to fix CVE-2025-43732

To remediate CVE-2025-43732, upgrade the affected package to a fixed version below.

—upgrade to 5.0.32 or later

Is CVE-2025-43732 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 5.0.32

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-43732
PATCHgithub.com/liferay/liferay-portal
WEBgithub.com/liferay/liferay-portal/commit/1ab3de8142d9201d10d89f5eeb1edeea64599d57
WEBgithub.com/liferay/liferay-portal/commit/830140e15ccfeb105641681c4f2bb375c12582ba