CVE-2025-43814 — Liferay Portal and DXP audit events record password reminder answers

Description

In Liferay Portal 7.4.0 through 7.4.3.112, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions the audit events records a user’s password reminder answer, which allows remote authenticated users to obtain a user’s password reminder answer via the audit events.

How to fix CVE-2025-43814

To remediate CVE-2025-43814, upgrade the affected package to a fixed version below.

Maven/com.liferay:com.liferay.portal.security.audit.event.generators.user.management—upgrade to 5.0.13 or later

Is CVE-2025-43814 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 5.0.13

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-43814
PATCHgithub.com/liferay/liferay-portal
WEBgithub.com/liferay/liferay-portal/commit/6d0f123c838b96fd71fb97f422366ffa43391121
WEBgithub.com/liferay/liferay-portal/commit/76c9c38f21614bf0dca877057b13f6a449c041e8