CVE-2025-43777
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-09

Last updated on: 2025-12-12

Assigner: Liferay Inc.

Description
Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.19 exposes "Internal Server Error" in the response body when a login attempt is made with a deleted Client Secret.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-09
Last Modified
2025-12-12
Generated
2026-06-16
AI Q&A
2025-09-09
EPSS Evaluated
2026-06-14
NVD
CVE-2025-43777
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
liferay digital_experience_platform From 2024.q1.1 (inc) to 2024.q1.20 (exc)
liferay digital_experience_platform From 2024.q2.0 (inc) to 2024.q2.13 (inc)
liferay digital_experience_platform From 2024.Q3.0 (inc) to 2024.Q3.13 (inc)
liferay digital_experience_platform From 2024.q4.0 (inc) to 2024.q4.7 (inc)
liferay digital_experience_platform From 2025.Q1.0 (inc) to 2025.Q1.17 (exc)
liferay digital_experience_platform From 2025.Q2.0 (inc) to 2025.Q2.10 (exc)
liferay liferay_portal From 7.4.0 (inc) to 7.4.3.132 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-209 The product generates an error message that includes sensitive information about its environment, users, or associated data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Liferay Portal and Liferay DXP causes an "Internal Server Error" message to be exposed in the response body when a login attempt is made using a deleted Client Secret. It affects multiple versions and allows an attacker to see this error message during such login attempts. [1]

Impact Analysis

The vulnerability may reveal internal server error messages to an attacker during login attempts with deleted Client Secrets. While the impact on confidentiality and integrity is low, this exposure could aid attackers in understanding the system's behavior or configuration, potentially assisting further attacks. [1]

Detection Guidance

This vulnerability can be detected by monitoring login attempts that result in an "Internal Server Error" response when a deleted Client Secret is used. You can test this by attempting a login with a known deleted or invalid Client Secret and observing the response body for the error message. Specific commands are not provided in the resources, but using tools like curl or Postman to simulate login requests with deleted Client Secrets and checking for the error in the response body can help detect the issue. [1]

Mitigation Strategies

Immediate mitigation steps include upgrading to the fixed versions of Liferay Portal or Liferay DXP. The vulnerability has been fixed in Liferay Portal master branch and in Liferay DXP versions 2024.Q1.20, 2025.Q1.17, and 2025.Q2.10. Applying these updates will resolve the issue. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-43777. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart