CVE-2025-43813
Published: 29 September 2025
Summary
CVE-2025-43813 is a medium-severity Path Traversal (CWE-22) vulnerability in Liferay Digital Experience Platform. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-43813 is a path traversal vulnerability (CWE-22) combined with a denial-of-service condition in the ComboServlet component of Liferay Portal versions 7.4.0 through 7.4.3.107, including older unsupported versions, and Liferay DXP versions 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions. Published on 2025-09-29, the issue carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H). It allows remote attackers to access arbitrary CSS and JavaScript (JS) files and load those files multiple times via a specially crafted query string in a URL.
The vulnerability can be exploited by unauthenticated remote attackers with network access, requiring low attack complexity and no user interaction. Successful exploitation enables limited unauthorized access to CSS and JS files through path traversal (low confidentiality impact) and repeated loading of files to trigger a denial-of-service condition, resulting in high availability disruption for affected Liferay instances.
Mitigation details are available in the Liferay security advisory at https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43813.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-31658
Vulnerability details
Possible path traversal vulnerability and denial-of-service in the ComboServlet in Liferay Portal 7.4.0 through 7.4.3.107, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, 7.3 GA through update 35, and older…
more
unsupported versions allows remote attackers to access arbitrary CSS and JSS files and load the files multiple times via the query string in a URL.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote exploitation of public-facing Liferay web app via path traversal (T1190); crafted requests enable repeated file loading for application exhaustion DoS (T1499.003).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents path traversal attacks by validating query string inputs to the ComboServlet, blocking unauthorized access to arbitrary CSS and JS files.
Mitigates the denial-of-service condition by implementing mechanisms to protect against resource exhaustion from repeated file loading requests via crafted URLs.
Enforces boundary protection at web interfaces to filter malicious query strings attempting path traversal or excessive requests to the ComboServlet.