Moderate severityNVD Advisory· Published Sep 9, 2025· Updated Sep 9, 2025

CVE-2025-43777

Description

Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.19 exposes "Internal Server Error" in the response body when a login attempt is made with a deleted Client Secret.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
com.liferay:com.liferay.portal.security.sso.openid.connect.implMaven	>= 6.0.4, < 7.0.48	7.0.48

Affected products

Liferay/Portalv5
Range: 7.4.0
Liferay/DXPv5
Range: 2024.Q1.1

Patches

e4ae0e49dd90

LPD-61377 Add IllegalArgumentException and log errors

https://github.com/liferay/liferay-portalManuele CastroJul 24, 2025via ghsa

commit

1 file changed · +3 −1

modules/apps/portal-security-sso/portal-security-sso-openid-connect-impl/src/main/java/com/liferay/portal/security/sso/openid/connect/internal/servlet/filter/auto/login/OpenIdConnectAutoLoginFilter.java

+3 −1 modified

@@ -89,9 +89,11 @@ protected void processFilter(
 				userId -> _autoLoginUser(
 					httpServletRequest, httpServletResponse, userId));
 		}
-		catch (StrangersNotAllowedException |
+		catch (IllegalArgumentException | StrangersNotAllowedException |
 			   UserEmailAddressException.MustNotUseCompanyMx exception) {
 
+			_log.error(exception);
+
 			Class<?> clazz = exception.getClass();
 
 			actionURL = HttpComponentsUtil.addParameter(

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000