CVE-2025-43789 — Liferay Portal JSON Web Services Direct Class Invocation Enables Service Access

Description

JSON Web Services in Liferay Portal 7.4.0 through 7.4.3.119, and Liferay DXP 2024.Q1.1 through 2024.Q1.9, 7.4 GA through update 92 published to OSGi are registered and invoked directly as classes which allows Service Access Policies to get executed.

How to fix CVE-2025-43789

To remediate CVE-2025-43789, upgrade the affected package to a fixed version below.

Maven/com.liferay:com.liferay.comment.web—upgrade to 6.1.4 or later

Is CVE-2025-43789 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 6.0.2, < 6.1.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:A/AC:H/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-43789
WEBgithub.com/liferay/liferay-portal
WEBgithub.com/liferay/liferay-portal/commit/576039619a12f28304c5153ad3fa5e39f00548b3
WEBgithub.com/liferay/liferay-portal/commit/cb349be999396e97883e5fa7ccf2d226737779ac