CVE-2025-43797 — Liferay has Insecure Default Initialization of Resource issue

Description

In Liferay Portal 7.1.0 through 7.4.3.111, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions, the default membership type of a newly created site is “Open” which allows any registered users to become a member of the site. A remote attacker with site membership can potentially view, add or edit content on the site.

How to fix CVE-2025-43797

To remediate CVE-2025-43797, upgrade the affected package to a fixed version below.

—upgrade to 5.0.111 or later

Is CVE-2025-43797 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 5.0.111

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-43797
PATCHgithub.com/liferay/liferay-portal
WEBliferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43797