Medium severity5.0NVD Advisory· Published Aug 9, 2025· Updated Apr 29, 2026
CVE-2025-4655
CVE-2025-4655
Description
SSRF vulnerability in FreeMarker templates in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.5, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15, 7.4 GA through update 92 allows template editors to bypass access validations via crafted URLs.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay.portal:release.portal.bomMaven | >= 7.4.0, <= 7.4.3.132 | — |
com.liferay.portal:release.dxp.bomMaven | >= 2025.Q1.0, < 2025.Q1.6 | 2025.Q1.6 |
com.liferay.portal:release.dxp.bomMaven | >= 2024.Q4.0, <= 2024.Q4.7 | — |
com.liferay.portal:release.dxp.bomMaven | >= 2024.Q3.1, <= 2024.Q3.13 | — |
com.liferay.portal:release.dxp.bomMaven | >= 2024.Q2.0, <= 2024.Q2.13 | — |
com.liferay.portal:release.dxp.bomMaven | >= 2024.Q1.0, < 2024.Q1.16 | 2024.Q1.16 |
com.liferay.portal:release.dxp.bomMaven | <= 7.4.13.u92 | — |
Affected products
95cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*+ 93 more
- cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*range: >=2024.Q1.1,<2024.Q1.16
- cpe:2.3:a:liferay:digital_experience_platform:7.4:-:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update1:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update10:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update11:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update12:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update13:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update14:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update15:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update16:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update17:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update18:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update19:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update2:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update20:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update21:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update22:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update23:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update24:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update25:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update26:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update27:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update28:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update29:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update3:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update30:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update31:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update32:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update33:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update34:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update35:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update36:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update37:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update38:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update39:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update4:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update40:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update41:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update42:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update43:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update44:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update45:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update46:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update47:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update48:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update49:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update5:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update50:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update51:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update52:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update53:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update54:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update55:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update56:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update57:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update58:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update59:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update6:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update60:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update61:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update62:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update63:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update64:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update65:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update66:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update67:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update68:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update69:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update7:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update70:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update71:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update72:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update73:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update74:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update75:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update76:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update77:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update78:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update79:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update8:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update80:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update81:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update82:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update83:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update84:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update85:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update86:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update87:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update88:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update89:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update9:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update90:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update91:*:*:*:*:*:*
- cpe:2.3:a:liferay:digital_experience_platform:7.4:update92:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-c6g5-g6r7-q4j6ghsaADVISORY
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-4655nvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-4655ghsaADVISORY
News mentions
0No linked articles in our index yet.