CVE-2025-43825 — Liferay Portal exposes sensitive user data through its Freemarker template

Description

A vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.4, 2024.Q4.0 through 2024.Q4.5, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 allows sensitive user data to be included in the Freemarker template. This weakness permits an unauthorized actor to gain access to, and potentially expose, confidential information that should remain restricted.

How to fix CVE-2025-43825

To remediate CVE-2025-43825, upgrade the affected package to a fixed version below.

—upgrade to 7.0.60 or later

Is CVE-2025-43825 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 7.0.3, < 7.0.60

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-43825
WEBgithub.com/liferay/liferay-portal
WEBgithub.com/liferay/liferay-portal/commit/ff6c9fb24587a0c7bf3c48356a38b3f492670ea0
WEBliferay.atlassian.net/browse/LPE-18166