CVE-2025-43809
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-19

Last updated on: 2025-12-16

Assigner: Liferay Inc.

Description
Cross-Site Request Forgery (CSRF) vulnerability in the server (license) registration page in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.7, 2023.Q3.1 through 2023.Q3.9, 7.4 GA through update 92, and older unsupported versions allows remote attackers to register a server license via the 'orderUuid' parameter.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-19
Last Modified
2025-12-16
Generated
2026-06-16
AI Q&A
2025-09-19
EPSS Evaluated
2026-06-15
NVD
CVE-2025-43809
EUVD
EUVD-2025-30243
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
liferay digital_experience_platform to 7.4 (inc)
liferay digital_experience_platform From 2023.q3.1 (inc) to 2023.q3.9 (exc)
liferay digital_experience_platform From 2023.Q4.0 (inc) to 2023.Q4.8 (exc)
liferay liferay_portal From 7.4.0 (inc) to 7.4.3.112 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-43809 is a Cross-Site Request Forgery (CSRF) vulnerability in the server license registration page of Liferay Portal and Liferay DXP. It allows remote attackers to register a server license by exploiting the 'orderUuid' parameter without proper authorization, potentially causing unauthorized license registrations. [1]

Impact Analysis

This vulnerability can allow attackers to register server licenses remotely without authorization, which may lead to unauthorized use or manipulation of licensing on affected Liferay Portal and DXP installations. This could result in licensing compliance issues or operational disruptions. [1]

Detection Guidance

This vulnerability can be detected by monitoring HTTP requests to the server license registration page for suspicious use of the 'orderUuid' parameter that could indicate CSRF attempts. You can use network traffic analysis tools like Wireshark or tcpdump to capture HTTP POST requests to the license registration endpoint and inspect the parameters. Additionally, using curl or similar command-line tools to test the endpoint with crafted requests containing the 'orderUuid' parameter may help identify if the system is vulnerable. Example command to test the endpoint: curl -X POST 'http://<liferay-server>/license-registration' -d 'orderUuid=<test-value>' -v [1]

Mitigation Strategies

Immediate mitigation steps include upgrading Liferay Portal and Liferay DXP to the fixed versions: Liferay Portal 7.4.3.112 or later, Liferay DXP 2024.Q1.1 or later, Liferay DXP 2023.Q4.8 or later, or Liferay DXP 2023.Q3.9 or later. If upgrading is not immediately possible, implement CSRF protection mechanisms such as validating CSRF tokens on the license registration page and restricting access to the registration endpoint to authorized users only. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-43809. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart