CVE-2025-43795

Description

An open redirect vulnerability in the System Settings in Liferay Portal 7.1.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4 , 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to redirect users to arbitrary external URLs via the _com_liferay_configuration_admin_web_portlet_SystemSettingsPortlet_redirect parameter. An open redirect vulnerability in the Instance Settings in Liferay Portal 7.1.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to redirect users to arbitrary external URLs via the _com_liferay_configuration_admin_web_portlet_InstanceSettingsPortlet_redirect parameter. An open redirect vulnerability in the Site Settings in Liferay Portal 7.1.0 through 7.4.3.101, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to redirect users to arbitrary external URLs via the _com_liferay_site_admin_web_portlet_SiteSettingsPortlet_redirect parameter.

How to fix CVE-2025-43795

To remediate CVE-2025-43795, upgrade the affected package to a fixed version below.

• —upgrade to 5.0.76 or later
• —upgrade to 5.0.103 or later

Is CVE-2025-43795 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• >= 2.0.7, < 5.0.76
• >= 2.0.4, < 5.0.103

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-43795
• PATCHgithub.com/liferay/liferay-portal
• WEBgithub.com/liferay/liferay-portal/commit/81b2bdf2f48dbd467718ccc95c5bba31e5985fab
• WEBgithub.com/liferay/liferay-portal/commit/cf23864f2b7a0e346f42961e0ad6c7ef5facb2b4