VYPR
← All advisories
Moderate severityNVD Advisory· Published Aug 29, 2025· Updated Aug 29, 2025

CVE-2025-43773

CVE-2025-43773

Description

Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.18 and 7.4 GA through update 92 has a security vulnerability that allowing for improper access through the expandoTableLocalService.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.liferay:com.liferay.portal.workflow.kaleo.runtime.implMaven
< 6.0.936.0.93

Affected products

2

Patches

5
58849cc83348

LPD-55455 Passing a real ExecutionContext

https://github.com/liferay/liferay-portalGuilherme CamachoMay 29, 2025via ghsa
commit
2 files changed · +78 10
  • modules/apps/portal-workflow/portal-workflow-kaleo-runtime-impl/src/main/java/com/liferay/portal/workflow/kaleo/runtime/internal/notification/TemplateNotificationMessageGenerator.java+2 4 modified
    @@ -169,10 +169,8 @@ private void _populateContextVariables(
 			KaleoInstanceToken kaleoInstanceToken =
 				executionContext.getKaleoInstanceToken();
 
-			if (kaleoInstanceToken != null) {
-				template.put("userId", kaleoInstanceToken.getUserId());
-				template.put("userName", kaleoInstanceToken.getUserName());
-			}
+			template.put("userId", kaleoInstanceToken.getUserId());
+			template.put("userName", kaleoInstanceToken.getUserName());
 		}
 
 		KaleoTimerInstanceToken kaleoTimerInstanceToken =
  • modules/apps/portal-workflow/portal-workflow-kaleo-test/src/testIntegration/java/com/liferay/portal/workflow/kaleo/internal/runtime/integration/test/TemplateNotificationMessageGeneratorTest.java+76 6 modified
    @@ -6,22 +6,37 @@
 package com.liferay.portal.workflow.kaleo.internal.runtime.integration.test;
 
 import com.liferay.arquillian.extension.junit.bridge.junit.Arquillian;
+import com.liferay.blogs.model.BlogsEntry;
 import com.liferay.petra.lang.SafeCloseable;
+import com.liferay.petra.string.StringPool;
+import com.liferay.portal.kernel.service.ServiceContext;
 import com.liferay.portal.kernel.test.AssertUtils;
 import com.liferay.portal.kernel.test.rule.AggregateTestRule;
 import com.liferay.portal.kernel.test.util.PropsValuesTestUtil;
 import com.liferay.portal.kernel.test.util.RandomTestUtil;
+import com.liferay.portal.kernel.test.util.ServiceContextTestUtil;
+import com.liferay.portal.kernel.util.HashMapBuilder;
+import com.liferay.portal.kernel.workflow.WorkflowConstants;
 import com.liferay.portal.test.rule.Inject;
 import com.liferay.portal.test.rule.LiferayIntegrationTestRule;
 import com.liferay.portal.test.rule.PermissionCheckerMethodTestRule;
+import com.liferay.portal.workflow.kaleo.definition.Task;
+import com.liferay.portal.workflow.kaleo.model.KaleoInstance;
+import com.liferay.portal.workflow.kaleo.model.KaleoInstanceToken;
 import com.liferay.portal.workflow.kaleo.model.KaleoNode;
 import com.liferay.portal.workflow.kaleo.runtime.ExecutionContext;
 import com.liferay.portal.workflow.kaleo.runtime.notification.NotificationMessageGenerationException;
 import com.liferay.portal.workflow.kaleo.runtime.notification.NotificationMessageGenerator;
+import com.liferay.portal.workflow.kaleo.runtime.util.WorkflowContextUtil;
+import com.liferay.portal.workflow.kaleo.service.KaleoInstanceLocalService;
+import com.liferay.portal.workflow.kaleo.service.KaleoInstanceTokenLocalService;
+import com.liferay.portal.workflow.kaleo.service.KaleoNodeLocalService;
+import com.liferay.portal.workflow.kaleo.service.KaleoTaskInstanceTokenLocalService;
 
-import java.util.HashMap;
+import java.io.Serializable;
 
 import org.junit.Assert;
+import org.junit.Before;
 import org.junit.ClassRule;
 import org.junit.Rule;
 import org.junit.Test;
@@ -40,10 +55,40 @@ public class TemplateNotificationMessageGeneratorTest {
 			new LiferayIntegrationTestRule(),
 			PermissionCheckerMethodTestRule.INSTANCE);
 
-	@Test
-	public void testGenerateMessage()
-		throws NotificationMessageGenerationException {
+	@Before
+	public void setUp() throws Exception {
+		ServiceContext serviceContext =
+			ServiceContextTestUtil.getServiceContext();
+
+		_kaleoInstance = _kaleoInstanceLocalService.addKaleoInstance(
+			1, 1, RandomTestUtil.randomString(), 1,
+			HashMapBuilder.<String, Serializable>put(
+				WorkflowConstants.CONTEXT_ENTRY_CLASS_NAME,
+				BlogsEntry.class.getName()
+			).put(
+				WorkflowConstants.CONTEXT_SERVICE_CONTEXT, serviceContext
+			).build(),
+			serviceContext);
+
+		KaleoNode kaleoNode = _kaleoNodeLocalService.addKaleoNode(
+			_kaleoInstance.getKaleoDefinitionId(),
+			_kaleoInstance.getKaleoDefinitionVersionId(),
+			new Task(RandomTestUtil.randomString(), StringPool.BLANK),
+			serviceContext);
 
+		_kaleoInstanceToken =
+			_kaleoInstanceTokenLocalService.addKaleoInstanceToken(
+				kaleoNode.getKaleoNodeId(),
+				_kaleoInstance.getKaleoDefinitionId(),
+				_kaleoInstance.getKaleoDefinitionVersionId(),
+				_kaleoInstance.getKaleoInstanceId(), 0,
+				WorkflowContextUtil.convert(
+					_kaleoInstance.getWorkflowContext()),
+				serviceContext);
+	}
+
+	@Test
+	public void testGenerateMessage() throws Exception {
 		try (SafeCloseable safeCloseable =
 				PropsValuesTestUtil.swapWithSafeCloseable(
 					"NOTIFICATION_EMAIL_TEMPLATE_ENABLED", true)) {
@@ -52,7 +97,11 @@ public void testGenerateMessage()
 				KaleoNode.class.getName(), RandomTestUtil.randomLong(),
 				RandomTestUtil.randomString(), "freemarker",
 				"Hello ${serviceLocator}!",
-				new ExecutionContext(null, new HashMap<>(), null));
+				new ExecutionContext(
+					_kaleoInstanceToken,
+					WorkflowContextUtil.convert(
+						_kaleoInstance.getWorkflowContext()),
+					ServiceContextTestUtil.getServiceContext()));
 
 			Assert.assertTrue(message.contains("ServiceLocator"));
 		}
@@ -68,10 +117,31 @@ public void testGenerateMessage()
 					KaleoNode.class.getName(), RandomTestUtil.randomLong(),
 					RandomTestUtil.randomString(), "freemarker",
 					"Hello ${serviceLocator}!",
-					new ExecutionContext(null, new HashMap<>(), null)));
+					new ExecutionContext(
+						_kaleoInstanceToken,
+						WorkflowContextUtil.convert(
+							_kaleoInstance.getWorkflowContext()),
+						ServiceContextTestUtil.getServiceContext())));
 		}
 	}
 
+	private KaleoInstance _kaleoInstance;
+
+	@Inject
+	private KaleoInstanceLocalService _kaleoInstanceLocalService;
+
+	private KaleoInstanceToken _kaleoInstanceToken;
+
+	@Inject
+	private KaleoInstanceTokenLocalService _kaleoInstanceTokenLocalService;
+
+	@Inject
+	private KaleoNodeLocalService _kaleoNodeLocalService;
+
+	@Inject
+	private KaleoTaskInstanceTokenLocalService
+		_kaleoTaskInstanceTokenLocalService;
+
 	@Inject(
 		filter = "component.name=com.liferay.portal.workflow.kaleo.runtime.internal.notification.TemplateNotificationMessageGenerator"
 	)
9f56b195aec5

LPD-55455 Avoid possible nullpointer when getting data from kaleoInstanceToken

https://github.com/liferay/liferay-portalAnderson LuizMay 28, 2025via ghsa
commit
1 file changed · +4 2
  • modules/apps/portal-workflow/portal-workflow-kaleo-runtime-impl/src/main/java/com/liferay/portal/workflow/kaleo/runtime/internal/notification/TemplateNotificationMessageGenerator.java+4 2 modified
    @@ -172,8 +172,10 @@ private void _populateContextVariables(
 			KaleoInstanceToken kaleoInstanceToken =
 				executionContext.getKaleoInstanceToken();
 
-			template.put("userId", kaleoInstanceToken.getUserId());
-			template.put("userName", kaleoInstanceToken.getUserName());
+			if (kaleoInstanceToken != null) {
+				template.put("userId", kaleoInstanceToken.getUserId());
+				template.put("userName", kaleoInstanceToken.getUserName());
+			}
 		}
 
 		KaleoTimerInstanceToken kaleoTimerInstanceToken =
8eacaaa1e355

LPD-55455 Prioritize TemplateNotificationMessageGenerator when injecting

https://github.com/liferay/liferay-portalAnderson LuizMay 28, 2025via ghsa
commit
1 file changed · +4 1
  • modules/apps/portal-workflow/portal-workflow-kaleo-runtime-impl/src/main/java/com/liferay/portal/workflow/kaleo/runtime/internal/notification/TemplateNotificationMessageGenerator.java+4 1 modified
    @@ -43,7 +43,10 @@
  * @author Marcellus Tavares
  * @author Michael C. Han
  */
-@Component(service = NotificationMessageGenerator.class)
+@Component(
+	property = "service.ranking:Integer=100",
+	service = NotificationMessageGenerator.class
+)
 public class TemplateNotificationMessageGenerator
 	implements NotificationMessageGenerator {
1cbc4b615c27

LPD-55455 Restrict template based on portal props

https://github.com/liferay/liferay-portalAnderson LuizMay 20, 2025via ghsa
commit
1 file changed · +2 1
  • modules/apps/portal-workflow/portal-workflow-kaleo-runtime-impl/src/main/java/com/liferay/portal/workflow/kaleo/runtime/internal/notification/TemplateNotificationMessageGenerator.java+2 1 modified
    @@ -17,6 +17,7 @@
 import com.liferay.portal.kernel.template.TemplateConstants;
 import com.liferay.portal.kernel.template.TemplateManagerUtil;
 import com.liferay.portal.kernel.util.Validator;
+import com.liferay.portal.util.PropsValues;
 import com.liferay.portal.workflow.kaleo.KaleoWorkflowModelConverter;
 import com.liferay.portal.workflow.kaleo.model.KaleoInstance;
 import com.liferay.portal.workflow.kaleo.model.KaleoInstanceToken;
@@ -112,7 +113,7 @@ private Template _getTemplate(
 		return TemplateManagerUtil.getTemplate(
 			templateManagerName,
 			new StringTemplateResource(templateId, notificationTemplate),
-			false);
+			!PropsValues.NOTIFICATION_EMAIL_TEMPLATE_ENABLED);
 	}
 
 	private void _populateContextVariables(
f33cda648a90

LPD-55455 Extract method for get template

https://github.com/liferay/liferay-portalAnderson LuizMay 20, 2025via ghsa
commit
1 file changed · +25 16
  • modules/apps/portal-workflow/portal-workflow-kaleo-runtime-impl/src/main/java/com/liferay/portal/workflow/kaleo/runtime/internal/notification/TemplateNotificationMessageGenerator.java+25 16 modified
    @@ -53,23 +53,10 @@ public String generateMessage(
 			ExecutionContext executionContext)
 		throws NotificationMessageGenerationException {
 
-		String templateManagerName = _templateManagerNames.get(
-			notificationTemplateLanguage);
-
-		if (Validator.isNull(templateManagerName)) {
-			throw new NotificationMessageGenerationException(
-				"Unsupported notification template language " +
-					notificationTemplateLanguage);
-		}
-
 		try {
-			String templateId =
-				notificationName + kaleoClassName + kaleoClassPK;
-
-			Template template = TemplateManagerUtil.getTemplate(
-				templateManagerName,
-				new StringTemplateResource(templateId, notificationTemplate),
-				false);
+			Template template = _getTemplate(
+				kaleoClassName, kaleoClassPK, notificationName,
+				notificationTemplate, notificationTemplateLanguage);
 
 			_populateContextVariables(template, executionContext);
 
@@ -106,6 +93,28 @@ protected void activate() {
 		_templateManagerNames.put("velocity", TemplateConstants.LANG_TYPE_VM);
 	}
 
+	private Template _getTemplate(
+			String kaleoClassName, long kaleoClassPK, String notificationName,
+			String notificationTemplate, String notificationTemplateLanguage)
+		throws Exception {
+
+		String templateManagerName = _templateManagerNames.get(
+			notificationTemplateLanguage);
+
+		if (Validator.isNull(templateManagerName)) {
+			throw new NotificationMessageGenerationException(
+				"Unsupported notification template language " +
+					notificationTemplateLanguage);
+		}
+
+		String templateId = notificationName + kaleoClassName + kaleoClassPK;
+
+		return TemplateManagerUtil.getTemplate(
+			templateManagerName,
+			new StringTemplateResource(templateId, notificationTemplate),
+			false);
+	}
+
 	private void _populateContextVariables(
 			Template template, ExecutionContext executionContext)
 		throws Exception {

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.