CVE-2025-3639Authentication Bypass Using an Alternate Path or Channel in DXP

CWE-288Authentication Bypass Using an Alternate Path or Channel4 documents4 sources
Severity
2.0LOWNVD
EPSS
0.0%
top 91.50%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Liferay DXPLiferay Portal
Timeline
PublishedAug 18

Description

Liferay Portal 7.3.0 through 7.4.3.132, and Liferay DXP 2025.Q1 through 2025.Q1.6, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15, 7.4 GA through update 92 and 7.3 GA through update 36 allows unauthenticated users with valid credentials to bypass the login process by changing the POST method to GET, once the site has MFA enabled.

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L

Affected Packages2 packages

CVEListV5liferay/portal7.3.07.4.3.132
CVEListV5liferay/dxp7.3.107.3.10-u36+6

🔴Vulnerability Details

3
OSV
Liferay Portal Login Bypass Vulnerability2025-08-18
GHSA
Liferay Portal Login Bypass Vulnerability2025-08-18
CVEList
CVE-2025-3639: Liferay Portal 72025-08-18
CVE-2025-3639 — Liferay DXP vulnerability | cvebase