CVE-2025-43819 - Vulnerability Details

A Insufficient Session Expiration vulnerability in the Liferay Portal 7.4.3.121 through 7.3.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.3, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, and 2024.Q1.1 through 2024.Q1.12 is allow an remote non-authenticated attacker to reuse old user session by SLO API

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0005.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Liferay	Dxp Portal

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Liferay	Dxp Portal

Advisories

Source	ID	Title
EUVD	EUVD-2025-30940	Liferay Portal and DXP does not properly expire sessions
Github GHSA	GHSA-rpx3-f938-xj5q	Liferay Portal and DXP does not properly expire sessions

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43819

History

Thu, 25 Sep 2025 08:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Liferay Liferay dxp Liferay portal
Vendors & Products		Liferay Liferay dxp Liferay portal

Wed, 24 Sep 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 24 Sep 2025 01:45:00 +0000

Type	Values Removed	Values Added
Description		A Insufficient Session Expiration vulnerability in the Liferay Portal 7.4.3.121 through 7.3.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.3, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, and 2024.Q1.1 through 2024.Q1.12 is allow an remote non-authenticated attacker to reuse old user session by SLO API
Weaknesses		CWE-613
References		https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43819
Metrics		cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: Liferay

Published: 2025-09-24T01:37:03.396Z

Updated: 2025-09-24T13:14:12.135Z

Reserved: 2025-04-17T10:55:35.684Z

Link: CVE-2025-43819

Vulnrichment

Updated: 2025-09-24T13:14:07.959Z

NVD

Status : Awaiting Analysis

Published: 2025-09-24T02:15:31.107

Modified: 2025-09-24T18:11:24.520

Link: CVE-2025-43819

Redhat

No data.

OpenCVE Enrichment

Updated: 2025-09-25T08:21:40Z

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object