Moderate severityNVD Advisory· Published Aug 20, 2025· Updated Aug 20, 2025
CVE-2025-43749
CVE-2025-43749
Description
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.1, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows unauthenticated users (guests) to access via URL files uploaded in the form and stored in document_library
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay.portal:release.portal.bomMaven | >= 7.4.0-ga1, <= 7.4.3.132-ga132 | — |
Affected products
2- Liferay/DXPv5Range: 7.4.13
Patches
2b88e7e0912d2LPD-48331 Modify to test behavior
1 file changed · +46 −0
modules/apps/dynamic-data-mapping/dynamic-data-mapping-test/src/testIntegration/java/com/liferay/dynamic/data/mapping/form/web/internal/portlet/action/test/UploadFileEntryMVCActionCommandTest.java+46 −0 modified@@ -7,19 +7,29 @@ import com.liferay.arquillian.extension.junit.bridge.junit.Arquillian; import com.liferay.document.library.kernel.model.DLFileEntry; +import com.liferay.document.library.kernel.model.DLFolderConstants; import com.liferay.document.library.kernel.service.DLFileEntryLocalService; import com.liferay.dynamic.data.mapping.constants.DDMFormConstants; import com.liferay.dynamic.data.mapping.model.DDMFormInstance; import com.liferay.dynamic.data.mapping.test.util.DDMFormInstanceTestUtil; +import com.liferay.dynamic.data.mapping.util.DDMFormUtil; import com.liferay.petra.memory.DeleteFileFinalizeAction; import com.liferay.petra.memory.FinalizeManager; import com.liferay.portal.kernel.json.JSONFactory; import com.liferay.portal.kernel.json.JSONObject; import com.liferay.portal.kernel.model.Group; +import com.liferay.portal.kernel.model.Repository; +import com.liferay.portal.kernel.model.ResourceConstants; import com.liferay.portal.kernel.model.User; +import com.liferay.portal.kernel.model.role.RoleConstants; import com.liferay.portal.kernel.portlet.bridges.mvc.MVCActionCommand; +import com.liferay.portal.kernel.portletfilerepository.PortletFileRepository; +import com.liferay.portal.kernel.repository.model.Folder; +import com.liferay.portal.kernel.security.permission.ActionKeys; import com.liferay.portal.kernel.security.permission.PermissionCheckerFactoryUtil; import com.liferay.portal.kernel.service.CompanyLocalService; +import com.liferay.portal.kernel.service.ResourcePermissionLocalService; +import com.liferay.portal.kernel.service.RoleLocalServiceUtil; import com.liferay.portal.kernel.service.UserLocalService; import com.liferay.portal.kernel.test.ReflectionTestUtil; import com.liferay.portal.kernel.test.portlet.MockLiferayPortletActionRequest; @@ -28,6 +38,7 @@ import com.liferay.portal.kernel.test.rule.DeleteAfterTestRun; import com.liferay.portal.kernel.test.util.GroupTestUtil; import com.liferay.portal.kernel.test.util.RandomTestUtil; +import com.liferay.portal.kernel.test.util.ServiceContextTestUtil; import com.liferay.portal.kernel.test.util.TestPropsValues; import com.liferay.portal.kernel.theme.ThemeDisplay; import com.liferay.portal.kernel.upload.FileItem; @@ -105,6 +116,21 @@ public void setUp() throws Exception { new HashMap<>()), null, RandomTestUtil.randomString()); })); + + User user = DDMFormUtil.getDDMFormDefaultUser( + TestPropsValues.getCompanyId()); + + Repository repository = _portletFileRepository.addPortletRepository( + _group.getGroupId(), DDMFormConstants.SERVICE_NAME, + ServiceContextTestUtil.getServiceContext(_group.getGroupId())); + + Folder folder = _portletFileRepository.addPortletFolder( + user.getUserId(), repository.getRepositoryId(), + DLFolderConstants.DEFAULT_PARENT_FOLDER_ID, + DDMFormConstants.DDM_FORM_UPLOADED_FILES_FOLDER_NAME, + ServiceContextTestUtil.getServiceContext(_group.getGroupId())); + + _folderId = folder.getFolderId(); } @After @@ -140,6 +166,16 @@ public void testProcessAction() throws Exception { TestPropsValues.getCompanyId()); Assert.assertEquals(user.getUserId(), dlFileEntry.getUserId()); + + Assert.assertFalse( + _resourcePermissionLocalService.hasResourcePermission( + TestPropsValues.getCompanyId(), DLFileEntry.class.getName(), + ResourceConstants.SCOPE_INDIVIDUAL, + String.valueOf(dlFileEntry.getFileEntryId()), + RoleLocalServiceUtil.getRole( + TestPropsValues.getCompanyId(), RoleConstants.GUEST + ).getRoleId(), + ActionKeys.VIEW)); } private FileItem _getFileItem() throws Exception { @@ -188,6 +224,8 @@ public boolean isInMemory() { MockMultipartHttpServletRequest mockMultipartHttpServletRequest = new MockMultipartHttpServletRequest(); + mockMultipartHttpServletRequest.addParameter( + "folderId", String.valueOf(_folderId)); mockMultipartHttpServletRequest.addParameter( "formInstanceId", String.valueOf(_ddmFormInstance.getFormInstanceId())); @@ -219,6 +257,8 @@ public boolean isInMemory() { @Inject private DLFileEntryLocalService _dlFileEntryLocalService; + private long _folderId; + @DeleteAfterTestRun private Group _group; @@ -233,6 +273,12 @@ public boolean isInMemory() { @Inject private Portal _portal; + @Inject + private PortletFileRepository _portletFileRepository; + + @Inject + private ResourcePermissionLocalService _resourcePermissionLocalService; + private UploadHandler _uploadHandler; @Inject
5919534a979aLPD-48331 Remove guest user view permission after file upload
1 file changed · +23 −4
modules/apps/dynamic-data-mapping/dynamic-data-mapping-form-web/src/main/java/com/liferay/dynamic/data/mapping/form/web/internal/portlet/action/UploadFileEntryMVCActionCommand.java+23 −4 modified@@ -9,6 +9,7 @@ import com.liferay.document.library.kernel.exception.FileNameException; import com.liferay.document.library.kernel.exception.FileSizeException; import com.liferay.document.library.kernel.exception.InvalidFileException; +import com.liferay.document.library.kernel.model.DLFileEntry; import com.liferay.dynamic.data.mapping.constants.DDMActionKeys; import com.liferay.dynamic.data.mapping.constants.DDMFormConstants; import com.liferay.dynamic.data.mapping.constants.DDMPortletKeys; @@ -27,14 +28,18 @@ import com.liferay.portal.kernel.language.Language; import com.liferay.portal.kernel.log.Log; import com.liferay.portal.kernel.log.LogFactoryUtil; +import com.liferay.portal.kernel.model.ResourceConstants; import com.liferay.portal.kernel.model.User; +import com.liferay.portal.kernel.model.role.RoleConstants; import com.liferay.portal.kernel.portlet.bridges.mvc.BaseMVCActionCommand; import com.liferay.portal.kernel.portlet.bridges.mvc.MVCActionCommand; import com.liferay.portal.kernel.portletfilerepository.PortletFileRepositoryUtil; import com.liferay.portal.kernel.repository.model.FileEntry; import com.liferay.portal.kernel.security.auth.PrincipalException; +import com.liferay.portal.kernel.security.permission.ActionKeys; import com.liferay.portal.kernel.service.CompanyLocalService; -import com.liferay.portal.kernel.service.UserLocalService; +import com.liferay.portal.kernel.service.ResourcePermissionLocalService; +import com.liferay.portal.kernel.service.RoleLocalService; import com.liferay.portal.kernel.theme.ThemeDisplay; import com.liferay.portal.kernel.upload.UploadPortletRequest; import com.liferay.portal.kernel.util.ArrayUtil; @@ -101,10 +106,13 @@ protected void doProcessAction( private ObjectFieldSettingLocalService _objectFieldSettingLocalService; @Reference - private UploadHandler _uploadHandler; + private ResourcePermissionLocalService _resourcePermissionLocalService; + + @Reference + private RoleLocalService _roleLocalService; @Reference - private UserLocalService _userLocalService; + private UploadHandler _uploadHandler; private class DDMFormUploadFileEntryHandler implements UploadFileEntryHandler { @@ -172,11 +180,22 @@ protected FileEntry addFileEntry( String uniqueFileName = PortletFileRepositoryUtil.getUniqueFileName( groupId, folderId, fileName); - return PortletFileRepositoryUtil.addPortletFileEntry( + FileEntry fileEntry = PortletFileRepositoryUtil.addPortletFileEntry( null, groupId, user.getUserId(), DDMFormInstance.class.getName(), 0, DDMFormConstants.SERVICE_NAME, folderId, file, uniqueFileName, mimeType, true); + + _resourcePermissionLocalService.removeResourcePermission( + themeDisplay.getCompanyId(), DLFileEntry.class.getName(), + ResourceConstants.SCOPE_INDIVIDUAL, + String.valueOf(fileEntry.getFileEntryId()), + _roleLocalService.getRole( + themeDisplay.getCompanyId(), RoleConstants.GUEST + ).getRoleId(), + ActionKeys.VIEW); + + return fileEntry; } private void _validateAttachmentObjectField(
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-5fx5-cff6-f3fpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-43749ghsaADVISORY
- github.com/liferay/liferay-portal/commit/5919534a979a97444172f49705b7a224e372e625ghsaWEB
- github.com/liferay/liferay-portal/commit/b88e7e0912d27cc166fc788b642616ece9e8c484ghsaWEB
- liferay.atlassian.net/browse/LPE-18176ghsaWEB
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43749ghsaWEB
News mentions
0No linked articles in our index yet.