CVE-2025-43773 — Liferay Portal allows improper access through the expandoTableLocalService

Description

Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.18 and 7.4 GA through update 92 has a security vulnerability that allowing for improper access through the expandoTableLocalService.

How to fix CVE-2025-43773

To remediate CVE-2025-43773, upgrade the affected package to a fixed version below.

Maven/com.liferay:com.liferay.portal.workflow.kaleo.runtime.impl—upgrade to 6.0.93 or later

Is CVE-2025-43773 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 6.0.93

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-43773
PATCHgithub.com/liferay/liferay-portal
WEBgithub.com/liferay/liferay-portal/commit/1cbc4b615c270ce986b7fa1835ed196a11ac3234
WEBgithub.com/liferay/liferay-portal/commit/58849cc83348af289944c874301e16e039ae4270