CVE-2025-4604: Liferay Portal CAPTCHA Bypass for Gogo Shell

August 5, 2025

The vulnerable code can bypass the Captcha check in Liferay Portal 7.4.3.80 through 7.4.3.132, and Liferay DXP 2024.Q1.1 through 2024.Q1.19, 2024.Q2.0 through 2024.Q2.13, 2024.Q3.0 through 2024.Q3.13, 2024.Q4.0 through 2024.Q4.7, 2025.Q1.0 through 2025.Q1.15 and 7.4 update 80 through update 92 and then attackers can run scripts in the Gogo shell

References

github.com/advisories/GHSA-3j6h-5v68-hvqg
github.com/liferay/liferay-portal
liferay.atlassian.net/browse/LPE-18168
liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-4604
nvd.nist.gov/vuln/detail/CVE-2025-4604

Code Behaviors & Features

Detect and mitigate CVE-2025-4604 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →