CVE-2025-43793 Overview
CVE-2025-43793 is an improper input validation vulnerability affecting Liferay Portal and Liferay Digital Experience Platform (DXP). The vulnerability exists due to incorrect identification of domain name subdomains, which causes the application to create supercookies. This flaw enables remote attackers who control a website sharing the same top-level domain (TLD) to read cookies set by the vulnerable Liferay application, potentially leading to session hijacking or information disclosure.
Critical Impact
Attackers controlling any website on the same TLD can read application cookies, potentially enabling session hijacking, authentication bypass, and unauthorized access to sensitive user data.
Affected Products
- Liferay Portal 7.4.0 through 7.4.3.105 (and older unsupported versions)
- Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4
- Liferay DXP 7.4 GA through update 92, 7.3 GA through update 35 (and older unsupported versions)
Discovery Timeline
- September 15, 2025 - CVE-2025-43793 published to NVD
- December 16, 2025 - Last updated in NVD database
Technical Details for CVE-2025-43793
Vulnerability Analysis
This vulnerability falls under CWE-1284 (Improper Validation of Specified Quantity in Input), involving the application's failure to properly validate and parse domain name components when setting cookies. When Liferay Portal or DXP sets cookies, the application incorrectly calculates the domain scope, creating what's known as a "supercookie" - a cookie that's accessible from a broader domain scope than intended.
The flaw allows attackers to exploit shared TLD infrastructure. For example, if a vulnerable Liferay instance is hosted at company.example.com, and an attacker controls malicious.example.com, the supercookie created by Liferay would be readable by the attacker's malicious site. This is because the application fails to properly restrict cookie domain attributes to the intended subdomain.
The vulnerability requires user interaction, as a victim must visit both the legitimate Liferay portal and an attacker-controlled site sharing the same TLD. However, the network-based attack vector and lack of authentication requirements for exploitation make this a significant concern for organizations using affected Liferay deployments in multi-tenant or shared TLD environments.
Root Cause
The root cause is improper domain boundary parsing logic within Liferay's cookie management functionality. The application fails to correctly identify where the registrable domain ends and the subdomain begins, particularly when dealing with complex TLD structures or public suffix list entries. This incorrect parsing results in cookies being set with an overly permissive domain attribute, making them accessible across unintended subdomains within the same TLD.
Attack Vector
The attack leverages the network-accessible nature of web applications and requires the attacker to control another website on the same TLD as the target Liferay installation. The exploitation flow involves:
- An attacker registers or controls a domain that shares the same TLD as the victim's Liferay portal
- A user authenticates to the vulnerable Liferay application, which sets a supercookie with an overly broad domain scope
- The user subsequently visits the attacker-controlled website (via phishing, malvertising, or compromised sites)
- The attacker's site reads the supercookie, extracting session tokens or other sensitive data
- The attacker uses the stolen cookie data to impersonate the victim or gain unauthorized access
The vulnerability is particularly concerning in scenarios involving country-code TLDs (ccTLDs) with permissive subdomain registration, public cloud hosting environments with shared domains, or enterprise environments where multiple business units operate subdomains under a common parent domain.
Detection Methods for CVE-2025-43793
Indicators of Compromise
- Unexpected cookie domain attributes in browser developer tools showing broader scope than the specific application subdomain
- Session tokens appearing in requests to domains outside the intended Liferay application scope
- Anomalous authentication patterns where sessions appear active from unexpected origins
- Web application firewall logs showing cookie-based access attempts from non-application subdomains
Detection Strategies
- Audit Set-Cookie response headers from Liferay applications to verify proper domain scoping
- Implement Content Security Policy (CSP) monitoring to detect cookie access from unexpected origins
- Deploy web application firewall rules to flag suspicious cookie domain configurations
- Review session logs for authentication anomalies indicating potential cookie theft
Monitoring Recommendations
- Enable verbose logging for authentication and session management modules in Liferay
- Monitor for unusual patterns in session creation and token validation across related domains
- Implement real-time alerting for session ID reuse from different IP addresses or geographic locations
- Track cookie attribute configurations through regular security configuration scans
How to Mitigate CVE-2025-43793
Immediate Actions Required
- Upgrade to the latest patched version of Liferay Portal or DXP that addresses CVE-2025-43793
- Review and audit cookie domain settings in existing deployments to identify supercookie configurations
- Implement additional session validation controls such as IP binding or user-agent verification
- Consider deploying on dedicated domains rather than shared TLD infrastructure where feasible
Patch Information
Liferay has acknowledged this vulnerability and published security advisory information. Organizations should consult the Liferay Security Advisory for CVE-2025-43793 for specific patch versions and upgrade guidance. Ensure that all Liferay Portal and DXP installations are updated to versions released after the security fix was implemented.
Workarounds
- Configure explicit and restrictive cookie domain attributes at the web server or reverse proxy level to override application-level supercookie settings
- Implement strict Content Security Policy headers to limit cookie access scope
- Deploy Liferay applications on isolated domains that do not share TLDs with untrusted third parties
- Use HTTP-only and Secure flags on all session cookies to reduce exposure vectors
# Apache HTTP Server configuration to restrict cookie domain
# Add to virtual host configuration for Liferay proxy
<Location />
Header edit Set-Cookie "^(.*)$" "$1; Domain=portal.yourdomain.com; HttpOnly; Secure; SameSite=Strict"
</Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
