CVE-2025-43819
Description
A Insufficient Session Expiration vulnerability in the Liferay Portal 7.4.3.121 through 7.3.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.3, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, and 2024.Q1.1 through 2024.Q1.12 is allow an remote non-authenticated attacker to reuse old user session by SLO API
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay:com.liferay.saml.implMaven | < 5.0.51 | 5.0.51 |
Affected products
2- Liferay/DXPv5Range: 2024.Q1.1
Patches
2433dff5edae4LPD-26723 Use WebKeys instead
1 file changed · +2 −1
modules/dxp/apps/saml/saml-impl/src/main/java/com/liferay/saml/internal/servlet/filter/SpSessionTerminationSamlPortalFilter.java+2 −1 modified@@ -7,6 +7,7 @@ import com.liferay.portal.kernel.log.Log; import com.liferay.portal.kernel.log.LogFactoryUtil; +import com.liferay.portal.kernel.util.WebKeys; import com.liferay.portal.util.PortalInstances; import com.liferay.saml.helper.SamlHttpRequestHelper; import com.liferay.saml.persistence.model.SamlSpSession; @@ -51,7 +52,7 @@ public boolean isFilterEnabled( HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) { - if (httpServletRequest.getAttribute("COMPANY_ID") == null) { + if (httpServletRequest.getAttribute(WebKeys.COMPANY_ID) == null) { PortalInstances.getCompanyId(httpServletRequest); }
da9105a61d78LPD-26723 The SpSessionTerminationSamlPortalFilter must come before the Absolute Redirects Filter, otherwise the ARF may reinitialize the session when it should be invalidated. But, if we only adjust the order, then we will cause a regression described by LPD-40486 because the SAML filter uses the companyId from CompanyThreadLocal to determine if SAML is enabled or not, and the companyId is set in the ARF. To fully resolve this issue, the SpSessionTerminationSamlPortalFilter needs to come before the ARF and we need to ensure CompanyThreadLocal is populated with the current companyId based off the request.
1 file changed · +7 −2
modules/dxp/apps/saml/saml-impl/src/main/java/com/liferay/saml/internal/servlet/filter/SpSessionTerminationSamlPortalFilter.java+7 −2 modified@@ -7,6 +7,7 @@ import com.liferay.portal.kernel.log.Log; import com.liferay.portal.kernel.log.LogFactoryUtil; +import com.liferay.portal.util.PortalInstances; import com.liferay.saml.helper.SamlHttpRequestHelper; import com.liferay.saml.persistence.model.SamlSpSession; import com.liferay.saml.runtime.configuration.SamlProviderConfigurationHelper; @@ -27,8 +28,8 @@ */ @Component( property = { - "after-filter=Virtual Host Filter", "before-filter=Session Id Filter", - "dispatcher=FORWARD", "dispatcher=REQUEST", + "before-filter=Absolute Redirects Filter", "dispatcher=FORWARD", + "dispatcher=REQUEST", "init-param.url-regex-ignore-pattern=^/html/.+\\.(css|gif|html|ico|jpg|js|png)(\\?.*)?$", "servlet-context-name=", "servlet-filter-name=SP Session Termination SAML Portal Filter", @@ -50,6 +51,10 @@ public boolean isFilterEnabled( HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) { + if (httpServletRequest.getAttribute("COMPANY_ID") == null) { + PortalInstances.getCompanyId(httpServletRequest); + } + if (_samlProviderConfigurationHelper.isEnabled() && (httpServletRequest.getSession(false) != null)) {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-rpx3-f938-xj5qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-43819ghsaADVISORY
- github.com/liferay/liferay-portal/commit/433dff5edae4414fdc436b49a9edb62d721c84b5ghsaWEB
- github.com/liferay/liferay-portal/commit/da9105a61d788801797797a32583a4b76c902cdcghsaWEB
- liferay.atlassian.net/browse/LPE-18159ghsaWEB
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43819ghsaWEB
- osv.dev/vulnerability/GHSA-rpx3-f938-xj5qghsaWEB
News mentions
0No linked articles in our index yet.