CVE-2025-43829: Liferay Portal Commerce Shop is vulnerable to Stored XSS through SVG file

October 8, 2025 (updated November 10, 2025)

Stored Cross-Site Scripting (XSS) vulnerability in diagram type products in Commerce in Liferay Portal 7.4.3.18 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 update 18 through update 92. This vulnerability allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a SVG file.

References

github.com/advisories/GHSA-893r-jr58-3hxr
github.com/liferay/liferay-portal
github.com/liferay/liferay-portal/commit/288ba1f41f8c3374c80d7af27346eeebb8c780d0
liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43829
nvd.nist.gov/vuln/detail/CVE-2025-43829

Code Behaviors & Features

Detect and mitigate CVE-2025-43829 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →