CVE-2025-43745
Description
A CSRF vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.7, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 and 7.4 GA through update 92 allows remote attackers to performs cross-origin request on behalf of the authenticated user via the endpoint parameter.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay.portal:release.portal.bomMaven | >= 7.4.0-ga1, <= 7.4.3.132-ga132 | — |
Affected products
2- Liferay/DXPv5Range: 7.4.13
Patches
3037b58f96c9dLPD-59421 functional test
1 file changed · +12 −0
modules/test/playwright/tests/headless-discovery-web/main/apiExplorer.spec.ts+12 −0 modified@@ -43,3 +43,15 @@ test( }); } ); + +test( + 'Error mensaje is shown if the endpoint parameter is wrong', + {tag: '@LPD-59421'}, + async ({page}) => { + await page.goto('/o/api?endpoint=http://attacker.com/openapi.json'); + + await expect(page.getByText(`Forbidden access.`)).toBeVisible({ + timeout: 3000, + }); + } +);
729dfc202c9dLPD-59421 set a value to the origin to compare with the endpoint
1 file changed · +2 −7
modules/apps/headless/headless-discovery/headless-discovery-web/src/js/APIGUI.js+2 −7 modified@@ -46,12 +46,7 @@ const APIGUI = () => { useEffect(() => { apiFetch(contextPath + '/o/openapi', 'get', {}).then((response) => { - setOrigin( - Object.values(response)[0][0].substring( - 0, - Object.values(response)[0][0].indexOf('/o/') - ) - ); + setOrigin(new URL(Object.values(response)[0][0]).origin); setEndpoints( Object.keys(response) .flatMap((key) => response[key]) @@ -315,7 +310,7 @@ const APIGUI = () => { {!origin ? ( <LoadingSpinner /> - ) :showGraphQL ? ( + ) : showGraphQL ? ( <ClayLayout.Row className="vh-100"> <GraphiQL fetcher={graphQLFetcher} /> </ClayLayout.Row>
2387ee78fd47LPD-59421 wait until the origin is set
1 file changed · +13 −1
modules/apps/headless/headless-discovery/headless-discovery-web/src/js/APIGUI.js+13 −1 modified@@ -72,6 +72,16 @@ const APIGUI = () => { [contextPath, headers] ); + const LoadingSpinner = () => ( + <div className="swagger-ui"> + <div className="loading-container"> + <div className="info"> + <div className="loading"></div> + </div> + </div> + </div> + ); + const requestInterceptor = (req) => { req.headers['x-csrf-token'] = document.querySelector( 'meta[name="csrf-token"]' @@ -303,7 +313,9 @@ const APIGUI = () => { </ClayModal> )} - {showGraphQL ? ( + {!origin ? ( + <LoadingSpinner /> + ) :showGraphQL ? ( <ClayLayout.Row className="vh-100"> <GraphiQL fetcher={graphQLFetcher} /> </ClayLayout.Row>
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-7q33-gwcm-r6cjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-43745ghsaADVISORY
- github.com/liferay/liferay-portal/commit/037b58f96c9ded47960ab493a68d68aaf32b1a43ghsaWEB
- github.com/liferay/liferay-portal/commit/2387ee78fd471ea1c1c4d696aa0cbb1bce72665eghsaWEB
- github.com/liferay/liferay-portal/commit/729dfc202c9d2724b5f3f749ead14eb13832e101ghsaWEB
- liferay.atlassian.net/browse/LPE-18275ghsaWEB
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43745ghsaWEB
News mentions
0No linked articles in our index yet.