CVE-2025-43809: Liferay Portal Cross-Site Request Forgery (CSRF) vulnerability

September 19, 2025

Cross-Site Request Forgery (CSRF) vulnerability in the server (license) registration page in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.7, 2023.Q3.1 through 2023.Q3.9, 7.4 GA through update 92, and older unsupported versions allows remote attackers to register a server license via the ‘orderUuid’ parameter.

References

github.com/advisories/GHSA-697h-3q6m-jwp4
liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43809
nvd.nist.gov/vuln/detail/CVE-2025-43809

Code Behaviors & Features

Detect and mitigate CVE-2025-43809 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →