CVE-2025-3639

LOW

Liferay Portal 7.3.0-7.4.3.132 & DXP - Unauthenticated Authentication Bypass via POST to GET

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-3639. PoCs published by 6lj.

AI-analyzed exploit summary This PoC demonstrates an authentication bypass vulnerability (CVE-2025-3639) in Liferay Portal/DXP by converting a POST login request to a GET request, bypassing MFA. It requires valid credentials and exploits a flaw in the authentication flow.

Description

Liferay Portal 7.3.0 through 7.4.3.132, and Liferay DXP 2025.Q1 through 2025.Q1.6, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15, 7.4 GA through update 92 and 7.3 GA through update 36 allows unauthenticated users with valid credentials to bypass the login process by changing the POST method to GET, once the site has MFA enabled.

Exploits (1)

nomisec WORKING POC 2 stars

by 6lj · poc

https://github.com/6lj/CVE-2025-3639

View Code ZIP pw:eip

This PoC demonstrates an authentication bypass vulnerability (CVE-2025-3639) in Liferay Portal/DXP by converting a POST login request to a GET request, bypassing MFA. It requires valid credentials and exploits a flaw in the authentication flow.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Liferay Portal (7.3.0–7.4.3.132) and Liferay DXP (2024.Q1 to 2025.Q1.6)

Auth required

Prerequisites: Valid user credentials · Target Liferay instance with MFA enabled · Network access to the target

MITRE ATT&CK

T1110.001 - Password Guessing T1550 - Use Alternate Authentication Material

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Various Sources

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-3639

Scores

CVSS v4 2.0

EPSS 0.0004

EPSS Percentile 13.9%

CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-288

Status published

Products (9)

com.liferay.portal/release.portal.bom 7.3.0-ga1Maven

Liferay/DXP 2024.Q1.1 - 2024.Q1.15

Liferay/DXP 2024.Q3.1 - 2024.Q3.13

Liferay/DXP 2024.Q4.0 - 2024.Q4.7

Liferay/DXP 2024Q2.0 - 2023.Q2.13

Liferay/DXP 2025.Q1.0 - 2025.Q1.6

Liferay/DXP 7.3.10 - 7.3.10-u36

Liferay/DXP 7.4.13 - 7.4.13-u92

Liferay/Portal 7.3.0 - 7.4.3.132

Published Aug 18, 2025

Tracked Since Feb 18, 2026