CVE-2025-43798
Description
Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA through update 35 allows a time-based one-time password (TOTP) to be used multiple times during the validity period, which allows attackers with access to a user’s TOTP to authenticate as the user.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Liferay DXP's TOTP implementation allows the same one-time password to be reused within its validity window, enabling attackers with a captured TOTP to authenticate as the victim.
CVE-2025-43798 is a vulnerability in Liferay DXP's time-based one-time password (TOTP) multi-factor authentication. Due to a missing check, the same TOTP value can be accepted multiple times during its validity period instead of being invalidated after first use [1][3]. The root cause is that the verifyBrowserRequest method did not record the last used TOTP, and the _verify method did not reject previously used values [3].
Exploitation
An attacker who obtains a user's valid TOTP (e.g., through phishing, a compromised device, or network interception) can reuse that same code to authenticate multiple times before it expires. No further credentials are needed—the TOTP alone is sufficient for authentication [1][4]. The attack is network-based and requires only access to the TOTP value [4].
Impact
Successful exploitation gives the attacker authenticated access to the Liferay DXP instance as the targeted user. While the CVSS vector limits direct confidentiality/integrity impact to low, this bypass of multi-factor authentication can lead to unauthorized access, data exposure, or further privilege escalation within the application [4].
Mitigation
Liferay has released fixes in versions 2024.Q1.1, 2023.Q4.1, 2023.Q3.5, and 7.3 U36 [4]. The commit for LPS-189573 implements single-use enforcement by storing the last valid TOTP and rejecting repeats [3]. Users on affected versions should upgrade immediately. There is no mention of this CVE being added to CISA's Known Exploited Vulnerabilities catalog as of publication.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay:com.liferay.multi.factor.authentication.timebased.otp.webMaven | < 2.0.25 | 2.0.25 |
Affected products
2- Liferay/DXPv5Range: 7.3.10
Patches
11df25e46675aLPS-189573 Make TOTP single use only
1 file changed · +11 −3
modules/dxp/apps/multi-factor-authentication/multi-factor-authentication-timebased-otp-web/src/main/java/com/liferay/multi/factor/authentication/timebased/otp/web/internal/checker/TimeBasedOTPBrowserSetupMFAChecker.java+11 −3 modified@@ -278,6 +278,9 @@ public boolean verifyBrowserRequest( _mfaTimeBasedOTPEntryLocalService.updateAttempts( userId, remoteAddress, true); + _mfaTimeBasedOTPEntryLocalService.updateLastTOTP( + userId, mfaTimeBasedOTP); + _mfaTimeBasedOTPAuditMessageBuilder.routeAuditMessage( _mfaTimeBasedOTPAuditMessageBuilder. buildVerificationSuccessAuditMessage( @@ -418,9 +421,14 @@ private boolean _verify(String timeBasedOtpValue, long userId) { userId); if (mfaTimeBasedOTPEntry != null) { - return MFATimeBasedOTPUtil.verifyTimeBasedOTP( - _mfaTimeBasedOTPConfiguration.clockSkew(), - mfaTimeBasedOTPEntry.getSharedSecret(), timeBasedOtpValue); + String lastValidTimeBasedOtpValue = + mfaTimeBasedOTPEntry.getLastValidTOTP(); + + if (!timeBasedOtpValue.equals(lastValidTimeBasedOtpValue)) { + return MFATimeBasedOTPUtil.verifyTimeBasedOTP( + _mfaTimeBasedOTPConfiguration.clockSkew(), + mfaTimeBasedOTPEntry.getSharedSecret(), timeBasedOtpValue); + } } return false;
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.