Moderate severityNVD Advisory· Published Aug 20, 2025· Updated Sep 17, 2025
CVE-2025-43750
CVE-2025-43750
Description
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.1, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows remote unauthenticated users (guests) to upload files via the form attachment field without proper validation, enabling extension obfuscation and bypassing MIME type checks.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay:com.liferay.dynamic.data.mapping.form.webMaven | < 4.0.180 | 4.0.180 |
Affected products
2- Liferay/DXPv5Range: 7.4.13
Patches
2b9e57377cb88LPD-49016 Add integration test
1 file changed · +43 −13
modules/apps/dynamic-data-mapping/dynamic-data-mapping-test/src/testIntegration/java/com/liferay/dynamic/data/mapping/form/web/internal/portlet/action/test/UploadFileEntryMVCActionCommandTest.java+43 −13 modified@@ -6,6 +6,7 @@ package com.liferay.dynamic.data.mapping.form.web.internal.portlet.action.test; import com.liferay.arquillian.extension.junit.bridge.junit.Arquillian; +import com.liferay.document.library.configuration.DLFileEntryMimeTypeConfiguration; import com.liferay.document.library.kernel.model.DLFileEntry; import com.liferay.document.library.kernel.model.DLFolderConstants; import com.liferay.document.library.kernel.service.DLFileEntryLocalService; @@ -16,6 +17,7 @@ import com.liferay.petra.memory.DeleteFileFinalizeAction; import com.liferay.petra.memory.FinalizeManager; import com.liferay.petra.string.StringPool; +import com.liferay.portal.configuration.test.util.CompanyConfigurationTemporarySwapper; import com.liferay.portal.kernel.json.JSONFactory; import com.liferay.portal.kernel.json.JSONObject; import com.liferay.portal.kernel.model.Group; @@ -46,6 +48,8 @@ import com.liferay.portal.kernel.upload.FileItem; import com.liferay.portal.kernel.util.ContentTypes; import com.liferay.portal.kernel.util.HashMapBuilder; +import com.liferay.portal.kernel.util.HashMapDictionaryBuilder; +import com.liferay.portal.kernel.util.LocaleUtil; import com.liferay.portal.kernel.util.Portal; import com.liferay.portal.kernel.util.ProxyUtil; import com.liferay.portal.kernel.util.StringUtil; @@ -159,24 +163,12 @@ public void testProcessAction() throws Exception { _dlFileEntryLocalService.fetchDLFileEntry( _oldDLFileEntry.getFileEntryId())); - MockLiferayPortletActionResponse mockLiferayPortletActionResponse = - new MockLiferayPortletActionResponse(); - - _mvcActionCommand.processAction( - new MockLiferayPortletActionRequest(_getMockHttpServletRequest()), - mockLiferayPortletActionResponse); + JSONObject jsonObject = _processAction(); Assert.assertNull( _dlFileEntryLocalService.fetchDLFileEntry( _oldDLFileEntry.getFileEntryId())); - MockHttpServletResponse mockHttpServletResponse = - (MockHttpServletResponse) - mockLiferayPortletActionResponse.getHttpServletResponse(); - - JSONObject jsonObject = _jsonFactory.createJSONObject( - mockHttpServletResponse.getContentAsString()); - JSONObject fileJSONObject = jsonObject.getJSONObject("file"); DLFileEntry dlFileEntry = _dlFileEntryLocalService.fetchDLFileEntry( @@ -201,6 +193,27 @@ public void testProcessAction() throws Exception { ActionKeys.VIEW)); } + @Test + public void testProcessActionWithInvalidMimetype() throws Exception { + try (CompanyConfigurationTemporarySwapper + companyConfigurationTemporarySwapper = + new CompanyConfigurationTemporarySwapper( + TestPropsValues.getCompanyId(), + DLFileEntryMimeTypeConfiguration.class.getName(), + HashMapDictionaryBuilder.<String, Object>put( + "fileMimeTypes", new String[] {"image/jpeg"} + ).build())) { + + JSONObject jsonObject = _processAction(); + + JSONObject errorJSONObject = jsonObject.getJSONObject("error"); + + Assert.assertEquals( + "Please enter a file with a valid mime type (image/jpeg).", + errorJSONObject.get("message")); + } + } + private FileItem _getFileItem() throws Exception { Path path = Files.createTempFile(null, ".txt"); @@ -260,6 +273,7 @@ private MockHttpServletRequest _getMockHttpServletRequest() themeDisplay.setCompany( _companyLocalService.fetchCompany(TestPropsValues.getCompanyId())); + themeDisplay.setLocale(LocaleUtil.US); themeDisplay.setPermissionChecker( PermissionCheckerFactoryUtil.create(TestPropsValues.getUser())); @@ -272,6 +286,22 @@ private MockHttpServletRequest _getMockHttpServletRequest() return mockHttpServletRequest; } + private JSONObject _processAction() throws Exception { + MockLiferayPortletActionResponse mockLiferayPortletActionResponse = + new MockLiferayPortletActionResponse(); + + _mvcActionCommand.processAction( + new MockLiferayPortletActionRequest(_getMockHttpServletRequest()), + mockLiferayPortletActionResponse); + + MockHttpServletResponse mockHttpServletResponse = + (MockHttpServletResponse) + mockLiferayPortletActionResponse.getHttpServletResponse(); + + return _jsonFactory.createJSONObject( + mockHttpServletResponse.getContentAsString()); + } + @Inject private CompanyLocalService _companyLocalService;
7f58439723c8LPD-49016 Validate file mime type when uploading file as guest user
1 file changed · +33 −3
modules/apps/dynamic-data-mapping/dynamic-data-mapping-form-web/src/main/java/com/liferay/dynamic/data/mapping/form/web/internal/portlet/action/UploadFileEntryMVCActionCommand.java+33 −3 modified@@ -5,11 +5,14 @@ package com.liferay.dynamic.data.mapping.form.web.internal.portlet.action; +import com.liferay.document.library.configuration.DLFileEntryMimeTypeConfiguration; import com.liferay.document.library.kernel.exception.FileExtensionException; +import com.liferay.document.library.kernel.exception.FileMimeTypeException; import com.liferay.document.library.kernel.exception.FileNameException; import com.liferay.document.library.kernel.exception.FileSizeException; import com.liferay.document.library.kernel.exception.InvalidFileException; import com.liferay.document.library.kernel.model.DLFileEntry; +import com.liferay.document.library.kernel.util.DLValidator; import com.liferay.dynamic.data.mapping.constants.DDMActionKeys; import com.liferay.dynamic.data.mapping.constants.DDMFormConstants; import com.liferay.dynamic.data.mapping.constants.DDMPortletKeys; @@ -22,6 +25,7 @@ import com.liferay.object.model.ObjectFieldSetting; import com.liferay.object.service.ObjectFieldSettingLocalService; import com.liferay.petra.string.StringPool; +import com.liferay.portal.configuration.module.configuration.ConfigurationProvider; import com.liferay.portal.kernel.exception.PortalException; import com.liferay.portal.kernel.io.unsync.UnsyncByteArrayInputStream; import com.liferay.portal.kernel.json.JSONObject; @@ -96,6 +100,9 @@ protected void doProcessAction( @Reference private CompanyLocalService _companyLocalService; + @Reference + private ConfigurationProvider _configurationProvider; + private final DDMFormUploadFileEntryHandler _ddmFormUploadFileEntryHandler = new DDMFormUploadFileEntryHandler(); private final DDMFormUploadResponseHandler _ddmFormUploadResponseHandler = @@ -104,6 +111,9 @@ protected void doProcessAction( @Reference(target = "(upload.response.handler.system.default=true)") private UploadResponseHandler _defaultUploadResponseHandler; + @Reference + private DLValidator _dlValidator; + @Reference private Language _language; @@ -129,6 +139,10 @@ public FileEntry upload(UploadPortletRequest uploadPortletRequest) File file = null; try { + ThemeDisplay themeDisplay = + (ThemeDisplay)uploadPortletRequest.getAttribute( + WebKeys.THEME_DISPLAY); + InputStream inputStream = uploadPortletRequest.getFileAsStream( "file"); @@ -140,6 +154,11 @@ public FileEntry upload(UploadPortletRequest uploadPortletRequest) String fileName = uploadPortletRequest.getFileName("file"); + String mimeType = MimeTypesUtil.getContentType(file, fileName); + + _dlValidator.validateFileMimeType( + themeDisplay.getCompanyId(), mimeType); + DDMFormUploadValidator.validateFileSize(file, fileName); long objectFieldId = ParamUtil.getLong( @@ -155,9 +174,7 @@ public FileEntry upload(UploadPortletRequest uploadPortletRequest) ParamUtil.getLong(uploadPortletRequest, "formInstanceId"), ParamUtil.getLong(uploadPortletRequest, "groupId"), ParamUtil.getLong(uploadPortletRequest, "folderId"), file, - fileName, MimeTypesUtil.getContentType(file, fileName), - (ThemeDisplay)uploadPortletRequest.getAttribute( - WebKeys.THEME_DISPLAY)); + fileName, mimeType, themeDisplay); } finally { FileUtil.delete(file); @@ -252,6 +269,19 @@ public JSONObject onFailure( DDMFormUploadValidator.getGuestUploadFileExtensions(), StringPool.COMMA_AND_SPACE)); } + else if (portalException instanceof FileMimeTypeException) { + DLFileEntryMimeTypeConfiguration + dlFileEntryMimeTypeConfiguration = + _configurationProvider.getCompanyConfiguration( + DLFileEntryMimeTypeConfiguration.class, + themeDisplay.getCompanyId()); + + errorMessage = themeDisplay.translate( + "please-enter-a-file-with-a-valid-mime-type-x", + StringUtil.merge( + dlFileEntryMimeTypeConfiguration.fileMimeTypes(), + StringPool.COMMA_AND_SPACE)); + } else if (portalException instanceof FileNameException) { errorMessage = themeDisplay.translate( "please-enter-a-file-with-a-valid-file-name");
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-56qj-wp5r-mvhjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-43750ghsaADVISORY
- github.com/liferay/liferay-portal/commit/7f58439723c8373e038d5060d0bc58ff2475bdc5ghsaWEB
- github.com/liferay/liferay-portal/commit/b9e57377cb88bad1775beab50558cc2bd5a9758eghsaWEB
- liferay.atlassian.net/browse/LPE-18190ghsaWEB
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43750ghsaWEB
News mentions
0No linked articles in our index yet.