Cyber Resilience

CVE-2025-43813

Medium

Published: 29 September 2025

Published
29 September 2025
Modified
11 December 2025
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0020 41.9th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-43813 is a medium-severity Path Traversal (CWE-22) vulnerability in Liferay Digital Experience Platform. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-43813 is a path traversal vulnerability (CWE-22) combined with a denial-of-service condition in the ComboServlet component of Liferay Portal versions 7.4.0 through 7.4.3.107, including older unsupported versions, and Liferay DXP versions 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions. Published on 2025-09-29, the issue carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H). It allows remote attackers to access arbitrary CSS and JavaScript (JS) files and load those files multiple times via a specially crafted query string in a URL.

The vulnerability can be exploited by unauthenticated remote attackers with network access, requiring low attack complexity and no user interaction. Successful exploitation enables limited unauthorized access to CSS and JS files through path traversal (low confidentiality impact) and repeated loading of files to trigger a denial-of-service condition, resulting in high availability disruption for affected Liferay instances.

Mitigation details are available in the Liferay security advisory at https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43813.

EU & UK References

Vulnerability details

Possible path traversal vulnerability and denial-of-service in the ComboServlet in Liferay Portal 7.4.0 through 7.4.3.107, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, 7.3 GA through update 35, and older…

more

unsupported versions allows remote attackers to access arbitrary CSS and JSS files and load the files multiple times via the query string in a URL.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.003 Application Exhaustion Flood Impact
Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.
Why these techniques?

Direct remote exploitation of public-facing Liferay web app via path traversal (T1190); crafted requests enable repeated file loading for application exhaustion DoS (T1499.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-43766Same product: Liferay Digital Experience Platform
CVE-2025-64075Shared CWE-22
CVE-2024-53537Shared CWE-22
CVE-2024-36512Shared CWE-22
CVE-2025-0493Shared CWE-22
CVE-2025-70231Shared CWE-22
CVE-2026-43888Shared CWE-22
CVE-2025-15031Shared CWE-22
CVE-2026-25785Shared CWE-22
CVE-2025-11366Shared CWE-22

Affected Assets

liferay
digital experience platform
7.3, 7.4 · ≤ 7.3 · 2023.q3.1 — 2023.q3.9 · 2023.Q4.0 — 2023.Q4.5
liferay
liferay portal
7.3.0 — 7.3.7 · 7.4.0 — 7.4.3.108

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents path traversal attacks by validating query string inputs to the ComboServlet, blocking unauthorized access to arbitrary CSS and JS files.

prevent

Mitigates the denial-of-service condition by implementing mechanisms to protect against resource exhaustion from repeated file loading requests via crafted URLs.

preventdetect

Enforces boundary protection at web interfaces to filter malicious query strings attempting path traversal or excessive requests to the ComboServlet.

References