CVE-2025-43819: Liferay Portal and DXP does not properly expire sessions
(updated )
Liferay Portal/DXP contains an Insufficient Session Expiration issue where the Single Logout (SLO) API may fail to invalidate a user’s previous session. An attacker can reuse a stale session via the SLO endpoint to gain an authenticated context.
References
- github.com/advisories/GHSA-rpx3-f938-xj5q
- github.com/liferay/liferay-portal
- github.com/liferay/liferay-portal/commit/433dff5edae4414fdc436b49a9edb62d721c84b5
- github.com/liferay/liferay-portal/commit/da9105a61d788801797797a32583a4b76c902cdc
- liferay.atlassian.net/browse/LPE-18159
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43819
- nvd.nist.gov/vuln/detail/CVE-2025-43819
- osv.dev/vulnerability/GHSA-rpx3-f938-xj5q
Code Behaviors & Features
Detect and mitigate CVE-2025-43819 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →