CVE-2022-25146
Description
The Remote App module in Liferay Portal Liferay Portal v7.4.3.4 through v7.4.3.8 and Liferay DXP 7.4 before update 5 does not check if the origin of event messages it receives matches the origin of the Remote App, allowing attackers to exfiltrate the CSRF token via a crafted event message.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Liferay Portal and DXP Remote App module fails to validate event message origin, allowing attackers to exfiltrate CSRF tokens via crafted messages.
Vulnerability
The Remote App module in Liferay Portal 7.4.3.4 through 7.4.3.8 and Liferay DXP 7.4 before update 5 does not check whether the origin of incoming event messages matches the origin of the Remote App. This allows an attacker to send a crafted event message that is processed by the application [1]. The fix commit [3] shows that the receiveMessage function previously lacked an origin check, and the defaultFetch function unconditionally included the x-csrf-token header. The affected versions are Liferay Portal 7.4.3.4 through 7.4.3.8 and Liferay DXP 7.4 before update 5 [1].
Exploitation
An attacker can send a malicious event message to a Liferay instance that has a Remote App deployed. No authentication is required for the event message delivery. The crafted message can trigger the defaultFetch function, which previously included the user's CSRF token (x-csrf-token) in requests to any origin. By setting the resource parameter to a URL under the attacker's control (or using an exfiltration technique), the attacker can steal the CSRF token. The missing origin check allowed the message to be processed even if it originated from a different domain [1][3].
Impact
Successful exploitation enables an attacker to exfiltrate the user's CSRF token. With the token, the attacker can perform cross-site request forgery (CSRF) attacks, impersonating the authenticated user to perform actions such as modifying settings or data. This compromises the confidentiality and integrity of the user's session [1].
Mitigation
The issue is fixed in Liferay Portal 7.4.3.9 and Liferay DXP 7.4 update 5. The fix adds origin validation in both receiveMessage and defaultFetch, ensuring that the CSRF token is only included in requests to the same origin [3]. Users should upgrade to the patched versions. No workaround is documented. The vulnerability is not listed in the Known Exploited Vulnerabilities (KEV) catalog [1][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay:com.liferay.remote.app.webMaven | < 2.0.21 | 2.0.21 |
com.liferay.portal:release.dxp.bomMaven | < 7.4.13.u5 | 7.4.13.u5 |
Affected products
4- Liferay/Liferay Portaldescription
- osv-coords3 versionspkg:bitnami/liferaypkg:maven/com.liferay/com.liferay.remote.app.webpkg:maven/com.liferay.portal/release.dxp.bom
< 7.4.0+ 2 more
- (no CPE)range: < 7.4.0
- (no CPE)range: < 2.0.21
- (no CPE)range: < 7.4.13.u5
Patches
12fe144127a1aLPS-145277 - Prohibit fetch being called with authToken if the origin is different
3 files changed · +30 −20
modules/apps/frontend-js/frontend-js-web/src/main/resources/META-INF/resources/liferay/util/fetch.es.js+16 −13 modified@@ -12,10 +12,6 @@ * details. */ -const DEFAULT_INIT = { - credentials: 'include', -}; - /** * Fetches a resource. A thin wrapper around ES6 Fetch API, with standardized * default configuration. @@ -26,19 +22,26 @@ const DEFAULT_INIT = { */ export default function defaultFetch(resource, init = {}) { - const headers = new Headers({'x-csrf-token': Liferay.authToken}); + let resourceLocation = resource.url ? resource.url : resource.toString(); + + if (resourceLocation.startsWith('/')) { + resourceLocation = window.location.origin + resourceLocation; + } + + const resourceURL = new URL(resourceLocation); + + const headers = new Headers({}); + const config = {}; + + if (resourceURL.origin === window.location.origin) { + headers.set('x-csrf-token', Liferay.authToken); + config.credentials = 'include'; + } new Headers(init.headers || {}).forEach((value, key) => { headers.set(key, value); }); - const mergedInit = { - ...DEFAULT_INIT, - ...init, - }; - - mergedInit.headers = headers; - // eslint-disable-next-line @liferay/portal/no-global-fetch - return fetch(resource, mergedInit); + return fetch(resource, {...config, ...init, headers}); }
modules/apps/remote-app/remote-app-web/src/main/resources/META-INF/resources/remote_protocol/bridge.js+11 −7 modified@@ -120,18 +120,22 @@ function receiveMessage(event) { // TODO: more validation here - const resource = data.resource; + let resource = data.resource; + + if (resource.startsWith('/o/')) { + resource = window.location.origin + resource; + } + + const resourceUrl = new URL(resource); // LPS-145277: Prevent requests to other origins - if ( - !( - resource.startsWith(window.location.origin) || - resource.startsWith('/o/') - ) - ) { + if (resourceUrl.origin !== window.location.origin) { postMessage(source, { appID, + error: new Error( + 'Invalid resource: Resource must come from permitted origin.' + ), kind: 'fetch:reject', requestID, });
modules/apps/remote-app/remote-app-web/test/remote_protocol/bridge.js+3 −0 modified@@ -278,6 +278,9 @@ describe('remote-app-web', () => { expect(receiveMessage.mock.calls[0][0].data).toEqual({ appID: 'some UUID', + error: new Error( + 'Invalid resource: Resource must come from permitted origin.' + ), kind: 'fetch:reject', protocol: 'com.liferay.remote.app.protocol', requestID: undefined,
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-ghw5-998m-vw4wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-25146ghsaADVISORY
- liferay.comghsax_refsource_MISCWEB
- github.com/liferay/liferay-portal/commit/2fe144127a1a3b4c74f47e4b760b992b997c276bghsaWEB
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/cve-2022-25146-csrf-token-exfiltration-via-remote-appsghsaWEB
- portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/cve-2022-25146-csrf-token-exfiltration-via-remote-appsghsax_refsource_MISCWEB
- www.securitum.plmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.