CVE-2025-43806 — Liferay Portal and DXP does not properly check permission with import and export

Description

Batch Engine in Liferay Portal 7.4.0 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.7, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 does not properly check permission with import and export tasks, which allows remote authenticated users to access the exported data via the REST APIs.

How to fix CVE-2025-43806

To remediate CVE-2025-43806, upgrade the affected package to a fixed version below.

Maven/com.liferay:com.liferay.batch.engine.service—upgrade to 4.0.102 or later
—upgrade to 4.0.52 or later

Is CVE-2025-43806 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 4.0.102
from 0, < 4.0.52

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-43806
PATCHgithub.com/liferay/liferay-portal
WEBliferay.atlassian.net/browse/LPE-17957
WEBliferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43806