Moderate severityNVD Advisory· Published Sep 22, 2025· Updated Sep 23, 2025

CVE-2025-43806

Description

Batch Engine in Liferay Portal 7.4.0 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.7, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 does not properly check permission with import and export tasks, which allows remote authenticated users to access the exported data via the REST APIs.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
com.liferay:com.liferay.headless.batch.engine.implMaven	< 4.0.52	4.0.52
com.liferay:com.liferay.batch.engine.serviceMaven	< 4.0.102	4.0.102

Affected products

Liferay/Portalv5
Range: 7.4.0
Liferay/DXPv5
Range: 7.4.13

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-pm45-xx4q-fmv7ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-43806ghsaADVISORY
liferay.atlassian.net/browse/LPE-17957ghsaWEB
liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43806ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000