CVE-2025-43813 Overview
CVE-2025-43813 is a path traversal vulnerability combined with a denial-of-service condition affecting the ComboServlet component in Liferay Portal and Liferay Digital Experience Platform (DXP). This vulnerability allows remote attackers to access arbitrary CSS and JavaScript (JSS) files outside the intended directories and repeatedly load these files through specially crafted query strings in URLs.
The vulnerability exists due to insufficient input validation in the ComboServlet, which is responsible for serving combined CSS and JavaScript resources. By manipulating the query string parameters, attackers can traverse directory structures to access sensitive configuration files, application code, or cause service degradation through repeated file loading requests.
Critical Impact
Remote attackers can exploit this vulnerability without authentication to access arbitrary CSS and JavaScript files on the server and potentially cause denial-of-service through resource exhaustion by loading files multiple times.
Affected Products
- Liferay Portal 7.4.0 through 7.4.3.107 and older unsupported versions
- Liferay DXP 2023.Q4.0 through 2023.Q4.4, 2023.Q3.1 through 2023.Q3.8
- Liferay DXP 7.4 GA through update 92, 7.3 GA through update 35 and older unsupported versions
Discovery Timeline
- September 29, 2025 - CVE-2025-43813 published to NVD
- December 11, 2025 - Last updated in NVD database
Technical Details for CVE-2025-43813
Vulnerability Analysis
The vulnerability resides in the ComboServlet component of Liferay Portal and DXP, which is designed to optimize web application performance by combining multiple CSS and JavaScript files into single HTTP responses. This servlet fails to properly sanitize user-supplied input in the query string, allowing attackers to inject path traversal sequences.
When a request is processed by the ComboServlet, the file paths provided in the query string are not adequately validated against directory traversal attempts. This allows an attacker to use sequences such as ../ to navigate outside the intended resource directories and access files from other locations on the filesystem. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).
Additionally, the servlet does not implement proper rate limiting or request validation, enabling attackers to request the same files multiple times in rapid succession. This can lead to increased server resource consumption and potential denial-of-service conditions, particularly when targeting large files or making concurrent requests.
Root Cause
The root cause of this vulnerability is improper input validation in the ComboServlet's file path handling logic. The servlet does not properly canonicalize or validate file paths before accessing the filesystem, allowing relative path components to escape the intended directory structure. Furthermore, the lack of request throttling or deduplication allows the same files to be loaded repeatedly, creating the denial-of-service vector.
Attack Vector
This vulnerability is exploitable over the network without requiring authentication. An attacker can craft malicious HTTP requests to the ComboServlet endpoint with specially formatted query strings containing path traversal sequences. The attack can be executed by:
- Identifying the ComboServlet endpoint (typically accessible at /combo or similar paths)
- Constructing a URL with path traversal sequences in the query string to access files outside the web root
- Optionally, making multiple concurrent requests to the same resources to amplify server load and cause denial-of-service
The vulnerability requires no user interaction and can be exploited remotely by any attacker with network access to the vulnerable Liferay instance. The attacker gains the ability to read arbitrary CSS and JavaScript files, potentially exposing sensitive application configuration or code, while also being able to degrade service availability.
Detection Methods for CVE-2025-43813
Indicators of Compromise
- Unusual HTTP requests to the ComboServlet endpoint containing ../ or URL-encoded path traversal sequences such as %2e%2e%2f
- High volume of requests to the ComboServlet from single IP addresses or unusual patterns
- Web server access logs showing requests for files outside normal CSS/JS resource directories
- Increased server resource utilization (CPU, memory, I/O) correlated with ComboServlet requests
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block path traversal patterns in query strings targeting the ComboServlet endpoint
- Configure intrusion detection systems (IDS) to alert on requests containing multiple path traversal sequences
- Enable detailed access logging for the Liferay application server and monitor for anomalous file access patterns
- Deploy rate limiting on the ComboServlet endpoint to detect and prevent denial-of-service attempts
Monitoring Recommendations
- Monitor web server logs for requests to /combo or equivalent ComboServlet endpoints with suspicious query parameters
- Set up alerts for abnormal traffic patterns targeting static resource serving endpoints
- Track server performance metrics and correlate spikes with ComboServlet request activity
- Implement log aggregation to identify distributed attack patterns across multiple source IPs
How to Mitigate CVE-2025-43813
Immediate Actions Required
- Upgrade Liferay Portal to version 7.4.3.108 or later to address this vulnerability
- Upgrade Liferay DXP to a patched version as specified in the vendor advisory
- Implement WAF rules to block path traversal attempts in query strings as an interim measure
- Consider temporarily restricting access to the ComboServlet endpoint if patching is not immediately possible
Patch Information
Liferay has addressed this vulnerability in updated releases. Organizations should consult the Liferay Security Advisory for CVE-2025-43813 for specific patched version information and upgrade instructions. Administrators should prioritize upgrading to the latest available version of their respective Liferay product line.
Workarounds
- Deploy a web application firewall with rules to detect and block path traversal sequences in requests to the ComboServlet
- Implement network-level access controls to restrict ComboServlet access to trusted sources only
- Configure rate limiting on the application server to mitigate denial-of-service attempts
- Monitor and audit access to the ComboServlet endpoint until patches can be applied
# Example WAF rule pattern for blocking path traversal (adapt for your WAF solution)
# Block requests containing path traversal sequences to ComboServlet
SecRule REQUEST_URI "@contains /combo" "chain,id:1001,phase:1,deny,status:403,msg:'Potential path traversal attempt'"
SecRule QUERY_STRING "@rx (\.\./|%2e%2e%2f|%2e%2e/|\.%2e/)" "t:lowercase,t:urlDecodeUni"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
