CVE-2025-43808: Liferay Portal Commerce component has Incorrect Permission Assignment for Critical Resource

September 19, 2025 (updated November 10, 2025)

The Commerce component in Liferay Portal 7.3.0 through 7.4.3.112, and Liferay DXP 2023.Q4.0 through 2023.Q4.8, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and 7.3 service pack 3 through update 35 saves virtual products uploaded to Documents and Media with guest view permission, which allows remote attackers to access and download virtual products for free via a crafted URL.

References

github.com/advisories/GHSA-chr3-w547-85hw
github.com/liferay/liferay-portal
liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43808
nvd.nist.gov/vuln/detail/CVE-2025-43808

Code Behaviors & Features

Detect and mitigate CVE-2025-43808 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →