CVE-2025-43747Server-Side Request Forgery in Digital Experience Platform

CWE-918Server-Side Request Forgery3 documents3 sources
Severity
4.8MEDIUMNVD
EPSS
0.0%
top 89.56%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Liferay Digital Experience PlatformLiferay DXP
Timeline
PublishedAug 21

Description

A server-side request forgery (SSRF) vulnerability exists in the Liferay DXP 2025.Q2.0 through 2025.Q2.3 due to insecure domain validation on analytics.cloud.domain.allowed, allowing an attacker to perform requests by change the domain and bypassing the validation method, this insecure validation is not distinguishing between trusted subdomains and malicious domains.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Affected Packages2 packages

NVDliferay/digital_experience_platform2025.Q2.02025.Q2.4
CVEListV5liferay/dxp2025.Q2.02025.Q2.3

🔴Vulnerability Details

2
GHSA
GHSA-7gq9-6fw6-w5q3: A server-side request forgery (SSRF) vulnerability exists in the Liferay DXP 20252025-08-21
CVEList
CVE-2025-43747: A server-side request forgery (SSRF) vulnerability exists in the Liferay DXP 20252025-08-21
CVE-2025-43747 — Server-Side Request Forgery | cvebase