CVE-2025-43768 Overview
CVE-2025-43768 is an information disclosure vulnerability in Liferay Portal and Liferay Digital Experience Platform (DXP). Authenticated users without any assigned permissions can access sensitive information belonging to administrator accounts through the JSONWS (JSON Web Services) APIs. The flaw affects Liferay Portal versions 7.4.0 through 7.4.3.131 and multiple Liferay DXP release branches across 2024 quarterly releases and 7.4 GA through update 92. The vulnerability is classified under CWE-201: Insertion of Sensitive Information Into Sent Data.
Critical Impact
Low-privileged authenticated users can enumerate administrator account information through exposed JSONWS API endpoints, enabling reconnaissance for further attacks.
Affected Products
- Liferay Portal 7.4.0 through 7.4.3.131
- Liferay DXP 2024.Q1.1–2024.Q1.15, 2024.Q2.0–2024.Q2.13, 2024.Q3.1–2024.Q3.13, 2024.Q4.0–2024.Q4.7
- Liferay DXP 7.4 GA through update 92
Discovery Timeline
- 2025-08-23 - CVE CVE-2025-43768 published to NVD
- 2025-12-12 - Last updated in NVD database
Technical Details for CVE-2025-43768
Vulnerability Analysis
The vulnerability resides in Liferay's JSONWS API surface, which exposes server-side service methods through HTTP endpoints under /api/jsonws. These endpoints enforce permission checks inconsistently, allowing an authenticated user lacking any explicit role or permission assignment to retrieve fields that should be restricted to administrators. The exposed data relates to admin user accounts and supports attacker reconnaissance against the portal.
This class of weakness falls under CWE-201, where sensitive information is included in a response sent to a party that is not authorized to view it. In Liferay's multi-tenant deployment model, this can expose customer administrator data across sites hosted on the same platform.
Root Cause
The root cause is missing or insufficient authorization on selected JSONWS service methods exposing user-related fields. While authentication is required, the service layer does not verify that the calling user holds permissions sufficient to read the targeted administrator records. Authorization checks rely on assumptions about caller privileges that do not hold for low-privilege accounts.
Attack Vector
An attacker first obtains any valid authenticated session on the Liferay portal, including a self-registered user account where registration is open. The attacker then issues JSONWS API requests targeting user-lookup or user-listing service endpoints. The server returns sensitive fields belonging to administrative accounts. User interaction is required as reflected in the CVSS vector (UI:P), suggesting the exploitation chain depends on a victim-driven trigger or specific portal configuration.
No public proof-of-concept code is available for CVE-2025-43768. See the Liferay Security Advisory CVE-2025-43768 for vendor-confirmed technical details.
Detection Methods for CVE-2025-43768
Indicators of Compromise
- Unexpected HTTP requests to /api/jsonws/* endpoints originating from low-privileged user sessions.
- JSONWS API responses containing administrator email addresses, screen names, or user identifiers returned to non-admin accounts.
- Repeated enumeration patterns against user-related JSONWS methods such as user/get-user-by-* from a single authenticated session.
Detection Strategies
- Audit Liferay access logs for authenticated requests to JSONWS user-service endpoints, correlating the requesting user's role against the data returned.
- Inspect application-layer telemetry for sequential or scripted access to JSONWS APIs that does not match typical user behavior.
- Compare the version string reported by your Liferay deployment against the affected version ranges to confirm exposure.
Monitoring Recommendations
- Forward Liferay web server and application logs to a centralized log analytics platform for retention and query.
- Establish baseline JSONWS API usage per user role and alert on deviations from low-privilege accounts.
- Monitor for anomalous administrator account targeting following any user self-registration spike.
How to Mitigate CVE-2025-43768
Immediate Actions Required
- Apply the Liferay security patch referenced in the vendor advisory for your specific Portal or DXP release branch.
- Restrict open user self-registration on internet-facing Liferay deployments until patches are applied.
- Review and tighten JSONWS endpoint exposure using the jsonws.web.service.paths.excludes and related portal properties.
Patch Information
Liferay has published remediation guidance in the Liferay Security Advisory CVE-2025-43768. Upgrade Liferay Portal to a release later than 7.4.3.131 or apply the corresponding DXP quarterly hotfix. DXP customers on 7.4 GA should move beyond update 92 to a fixed update level.
Workarounds
- Block external access to /api/jsonws at the reverse proxy or web application firewall when not required by integrations.
- Disable or exclude vulnerable JSONWS service methods using Liferay portal properties until the patch is deployed.
- Enforce least-privilege role assignments and disable anonymous or open user registration on production portals.
# Example portal-ext.properties hardening to restrict JSONWS exposure
jsonws.web.service.paths.excludes=/user/get-user-by-email-address,/user/get-user-by-screen-name,/user/get-user-by-id
jsonws.servlet.hosts.allowed=127.0.0.1,SERVER_IP
jsonws.web.service.api.discoverable=false
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
