Moderate severityNVD Advisory· Published Aug 9, 2025· Updated Aug 11, 2025

CVE-2025-4581

Description

Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.4 ,2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15, 7.4 GA through update 92 allows a pre-authentication blind SSRF vulnerability in the portal-settings-authentication-opensso-web due to improper validation of user-supplied URLs. An attacker can exploit this issue to force the server to make arbitrary HTTP requests to internal systems, potentially leading to internal network enumeration or further exploitation.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
com.liferay.portal:release.portal.bomMaven	>= 7.4.0, <= 7.4.3.132	—
com.liferay.portal:release.dxp.bomMaven	>= 2025.Q1.0, < 2025.Q1.5	2025.Q1.5
com.liferay.portal:release.dxp.bomMaven	>= 2024.Q4.0, <= 2024.Q4.7	—
com.liferay.portal:release.dxp.bomMaven	>= 2024.Q3.1, <= 2024.Q3.13	—
com.liferay.portal:release.dxp.bomMaven	>= 2024.Q2.0, <= 2024.Q2.13	—
com.liferay.portal:release.dxp.bomMaven	>= 2024.Q1.0, < 2024.Q1.16	2024.Q1.16
com.liferay.portal:release.dxp.bomMaven	<= 7.4.13.u92	—

Affected products

Liferay/Portalv5
Range: 7.4.0
Liferay/DXPv5
Range: 7.4.13

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-6v93-frf9-2rp8ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-4581ghsaADVISORY
liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-4581ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000