Moderate severityNVD Advisory· Published Aug 22, 2025· Updated Aug 22, 2025
CVE-2025-43758
CVE-2025-43758
Description
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.5, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15 and 7.4 GA through update 92 allows unauthenticated users (guests) to access via URL files uploaded by object entry and stored in document_library
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay:com.liferay.frontend.js.webMaven | < 5.0.125 | 5.0.125 |
com.liferay:com.liferay.object.dynamic.data.mapping.form.field.typeMaven | < 1.0.65 | 1.0.65 |
com.liferay:com.liferay.object.webMaven | < 1.0.219 | 1.0.219 |
Affected products
2- Liferay/DXPv5Range: 7.4.13
Patches
2bf036898c413LPD-49363 Hide the download button for guest users
2 files changed · +9 −6
modules/apps/frontend-js/frontend-js-web/src/main/resources/META-INF/resources/liferay/liferay.d.ts+1 −0 modified@@ -257,6 +257,7 @@ declare module Liferay { export function getUserId(): string; export function isControlPanel(): boolean; export function isImpersonated(): boolean; + export function isSignedIn(): boolean; } namespace Util {
modules/apps/object/object-dynamic-data-mapping-form-field-type/src/main/resources/META-INF/resources/js/Attachment/FileContainer.tsx+8 −6 modified@@ -41,12 +41,14 @@ export default function FileContainer({ {attachment.title} </ClayButton> - <a - className="lfr-objects__attachment-download" - href={attachment.contentURL} - > - <ClayIcon symbol="download" /> - </a> + {Liferay.ThemeDisplay.isSignedIn() && ( + <a + className="lfr-objects__attachment-download" + href={attachment.contentURL} + > + <ClayIcon symbol="download" /> + </a> + )} {!readOnly && ( <>
ff4efcb59b6bLPD-49363 Remove download permission after submit file entry
1 file changed · +24 −1
modules/apps/object/object-web/src/main/java/com/liferay/object/web/internal/deployer/ObjectDefinitionDeployerImpl.java+24 −1 modified@@ -14,6 +14,7 @@ import com.liferay.document.library.kernel.exception.FileExtensionException; import com.liferay.document.library.kernel.exception.FileSizeException; import com.liferay.document.library.kernel.exception.InvalidFileException; +import com.liferay.document.library.kernel.model.DLFileEntry; import com.liferay.document.library.kernel.service.DLAppLocalService; import com.liferay.document.library.kernel.service.DLFileEntryLocalService; import com.liferay.document.library.util.DLURLHelper; @@ -125,15 +126,20 @@ import com.liferay.portal.kernel.json.JSONUtil; import com.liferay.portal.kernel.language.Language; import com.liferay.portal.kernel.model.Company; +import com.liferay.portal.kernel.model.ResourceConstants; +import com.liferay.portal.kernel.model.role.RoleConstants; import com.liferay.portal.kernel.notifications.UserNotificationDefinition; import com.liferay.portal.kernel.notifications.UserNotificationHandler; import com.liferay.portal.kernel.portlet.ControlPanelEntry; import com.liferay.portal.kernel.portlet.bridges.mvc.MVCActionCommand; import com.liferay.portal.kernel.portlet.bridges.mvc.MVCRenderCommand; import com.liferay.portal.kernel.repository.model.FileEntry; +import com.liferay.portal.kernel.security.permission.ActionKeys; import com.liferay.portal.kernel.security.permission.resource.PortletResourcePermission; import com.liferay.portal.kernel.service.GroupLocalService; import com.liferay.portal.kernel.service.PortletLocalService; +import com.liferay.portal.kernel.service.ResourcePermissionLocalService; +import com.liferay.portal.kernel.service.RoleLocalService; import com.liferay.portal.kernel.service.UserLocalService; import com.liferay.portal.kernel.theme.ThemeDisplay; import com.liferay.portal.kernel.upload.UploadPortletRequest; @@ -841,9 +847,15 @@ private String _getResourceName(ObjectDefinition objectDefinition) { @Reference private PortletLocalService _portletLocalService; + @Reference + private ResourcePermissionLocalService _resourcePermissionLocalService; + @Reference private RESTContextPathResolverRegistry _restContextPathResolverRegistry; + @Reference + private RoleLocalService _roleLocalService; + @Reference(target = "(osgi.web.symbolicname=com.liferay.object.web)") private ServletContext _servletContext; @@ -912,11 +924,22 @@ public FileEntry upload(UploadPortletRequest uploadPortletRequest) fileName, file.length(), objectFieldId, themeDisplay.isSignedIn()); - return TempFileEntryUtil.addTempFileEntry( + FileEntry tempFileEntry = TempFileEntryUtil.addTempFileEntry( groupId, themeDisplay.getUserId(), objectDefinition.getPortletId(), TempFileEntryUtil.getTempFileName(fileName), file, _mimeTypes.getContentType(file, fileName)); + + _resourcePermissionLocalService.removeResourcePermission( + themeDisplay.getCompanyId(), DLFileEntry.class.getName(), + ResourceConstants.SCOPE_INDIVIDUAL, + String.valueOf(tempFileEntry.getFileEntryId()), + _roleLocalService.getRole( + themeDisplay.getCompanyId(), RoleConstants.GUEST + ).getRoleId(), + ActionKeys.DOWNLOAD); + + return tempFileEntry; } finally { if (file != null) {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-mm62-gwj5-j285ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-43758ghsaADVISORY
- github.com/liferay/liferay-portal/commit/bf036898c413b6733918f4bfeba59896f1abb34aghsaWEB
- github.com/liferay/liferay-portal/commit/ff4efcb59b6b9acf548d37787b8d4b3d1126fff8ghsaWEB
- liferay.atlassian.net/browse/LPE-18186ghsaWEB
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43758ghsaWEB
News mentions
0No linked articles in our index yet.