CVE-2025-43819

Description

### Summary Liferay Portal/DXP contains an Insufficient Session Expiration issue where the Single Logout (SLO) API may fail to invalidate a user’s previous session. An attacker can reuse a stale session via the SLO endpoint to gain an authenticated context. ### Affected Versions The following platform versions are affected: * **Liferay Portal:** * `7.3.3.131` through `7.4.3.121` * **Liferay DXP:** * `2024.Q4.0`–`2024.Q4.3` * `2024.Q3.1`–`2024.Q3.13` * `2024.Q2.0`–`2024.Q2.13` * `2024.Q1.1`–`2024.Q1.12` ### Remediation Update to the fixed builds and, for Maven consumers of the SAML module, upgrade `com.liferay:com.liferay.saml.impl` to **5.0.51** or later. After upgrading, ensure session invalidation policies are enforced and verify SLO behavior end-to-end.

How to fix CVE-2025-43819

To remediate CVE-2025-43819, upgrade the affected package to a fixed version below.

• —upgrade to 5.0.51 or later

Is CVE-2025-43819 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 5.0.51

CVSS scores

References (7)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-43819
• PATCHgithub.com/liferay/liferay-portal
• WEBgithub.com/liferay/liferay-portal/commit/433dff5edae4414fdc436b49a9edb62d721c84b5
• WEBgithub.com/liferay/liferay-portal/commit/da9105a61d788801797797a32583a4b76c902cdc