VIR Vulnerability Intelligence Relay

CVE-2025-4655

medium
Published 2025-08-09 · Modified 2025-08-12
CVSS v3
5.0
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
CVSS v2
VIR risk
5.0

Description

Liferay Portal and Liferay DXP vulnerable to Server-Side Request Forgery

Predictions

Exploit likelihood
60%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: security@liferay.com — https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-4655

Package impact
EcosystemPackageVulnerableFixed
java Mavencom.liferay.portal:release.portal.bom>=7.4.0,<=7.4.3.132
java Mavencom.liferay.portal:release.dxp.bom>=2025.Q1.0,<2025.Q1.62025.Q1.6
java Mavencom.liferay.portal:release.dxp.bom>=2024.Q4.0,<=2024.Q4.7
java Mavencom.liferay.portal:release.dxp.bom>=2024.Q3.1,<=2024.Q3.13
java Mavencom.liferay.portal:release.dxp.bom>=2024.Q2.0,<=2024.Q2.13
java Mavencom.liferay.portal:release.dxp.bom>=2024.Q1.0,<2024.Q1.162024.Q1.16
java Mavencom.liferay.portal:release.dxp.bom<=7.4.13.u92

Application impact
VendorProductVersionsFixed
liferaydigital_experience_platform{"startIncluding":"2024.Q1.1","endExcluding":"2024.Q1.16"}2024.Q1.16
liferaydigital_experience_platform7.4
liferayliferay_portal{"startIncluding":"7.4.0","endIncluding":"7.4.3.132"}

References

CWEs

CWE-918

Verify integrity in audit chain (admin only). AS-IS.