CVE-2025-43747

MEDIUM

Liferay DXP 2025.Q2.0-2025.Q2.3 SSRF via Analytics Domain Validation Bypass

Title source: llm
STIX 2.1

Description

A server-side request forgery (SSRF) vulnerability exists in the Liferay DXP 2025.Q2.0 through 2025.Q2.3 due to insecure domain validation on analytics.cloud.domain.allowed, allowing an attacker to perform requests by change the domain and bypassing the validation method, this insecure validation is not distinguishing between trusted subdomains and malicious domains.

References (1)

Core 1

Scores

CVSS v3 6.5
EPSS 0.0005
EPSS Percentile 16.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-918
Status published
Products (1)
liferay/digital_experience_platform 2025.Q2.0 - 2025.Q2.4
Published Aug 21, 2025
Tracked Since Feb 18, 2026