Liferay Portal 7.4.07.4.3.132 / DXP 20242025 Vulnerability: Freemarker Templating Leak
CVE-2025-43825 Published on October 3, 2025
A vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.4, 2024.Q4.0 through 2024.Q4.5, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 allows sensitive user data to be included in the Freemarker template. This weakness permits an unauthorized actor to gain access to, and potentially render, confidential information that should remain restricted.
Weakness Type
Insertion of Sensitive Information Into Sent Data
The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. Sensitive information could include data that is sensitive in and of itself (such as credentials or private messages), or otherwise useful in the further exploitation of the system (such as internal file system structure).
Products Associated with CVE-2025-43825
stack.watch emails you whenever new vulnerabilities are published in Liferay Portal or Liferay Digital Experience Platform. Just hit a watch button to start following.
Affected Versions
Liferay Portal:- Version 7.4.0, <= 7.4.3.132 is affected.
- Version 2023.Q3.1, <= 2023.Q3.10 is affected.
- Version 2023.Q4.0, <= 2024.Q4.10 is affected.
- Version 2024.Q1.1, <= 2024.Q1.12 is affected.
- Version 2024.Q2.1, <= 2024.Q2.13 is affected.
- Version 2024.Q3.0, <= 2024.Q3.13 is affected.
- Version 2024.Q4.0, <= 2024.Q4.5 is affected.
- Version 2025.Q1.0, <= 2025.Q1.4 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.