GHSA-rpx3-f938-xj5q
Suggest an improvement- Source
- https://github.com/advisories/GHSA-rpx3-f938-xj5q
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-rpx3-f938-xj5q/GHSA-rpx3-f938-xj5q.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-rpx3-f938-xj5q
- Aliases
-
- CVE-2025-43819
- Published
- 2025-09-24T03:30:26Z
- Modified
- 2025-09-27T03:38:40.286894Z
- Severity
-
- 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N CVSS Calculator
- Summary
- Liferay Portal and DXP does not properly expire sessions
- Details
-
Summary
Liferay Portal/DXP contains an Insufficient Session Expiration issue where the Single Logout (SLO) API may fail to invalidate a user’s previous session. An attacker can reuse a stale session via the SLO endpoint to gain an authenticated context.
Affected Versions
The following platform versions are affected:
- Liferay Portal:
7.3.3.131through7.4.3.121 - Liferay DXP:
2024.Q4.0–2024.Q4.32024.Q3.1–2024.Q3.132024.Q2.0–2024.Q2.132024.Q1.1–2024.Q1.12
Remediation
Update to the fixed builds and, for Maven consumers of the SAML module, upgrade
com.liferay:com.liferay.saml.implto 5.0.51 or later. After upgrading, ensure session invalidation policies are enforced and verify SLO behavior end-to-end. - Liferay Portal:
- Database specific
{ "cwe_ids": [ "CWE-613" ], "nvd_published_at": "2025-09-24T02:15:31Z", "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2025-09-24T17:28:45Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2025-43819
- https://github.com/liferay/liferay-portal/commit/433dff5edae4414fdc436b49a9edb62d721c84b5
- https://github.com/liferay/liferay-portal/commit/da9105a61d788801797797a32583a4b76c902cdc
- https://github.com/liferay/liferay-portal
- https://liferay.atlassian.net/browse/LPE-18159
- https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43819
- https://osv.dev/vulnerability/GHSA-rpx3-f938-xj5q
Affected packages
Maven / com.liferay:com.liferay.saml.impl
Package
- Name
- com.liferay:com.liferay.saml.impl
- View open source insights on deps.dev
- Purl
- pkg:maven/com.liferay/com.liferay.saml.impl
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.0.51
Affected versions
1.*
1.0.21
1.0.22
1.0.23
1.0.24
1.0.25
1.0.26
1.0.27
1.0.28
1.0.29
2.*
2.0.21
2.0.22
2.0.23
2.0.24
2.0.25
2.0.26
2.0.27
2.0.28
2.0.29
2.0.30
2.0.31
2.0.32
2.0.33
2.0.34
2.0.35
2.0.36
2.0.37
2.0.38
3.*
3.0.22
3.0.23
3.0.24
3.0.25
3.0.26
3.0.27
3.0.28
3.0.29
3.0.30
3.0.31
3.0.32
3.0.33
3.0.34
3.0.35
3.0.36
3.0.37
4.*
4.0.15
4.0.16
4.0.17
4.0.18
4.0.19
4.0.20
4.0.21
4.0.22
4.0.23
4.0.24
4.0.25
4.0.26
4.0.27
4.0.28
4.0.29
4.0.30
4.0.31
4.0.32
4.0.33
4.0.34
4.0.35
4.0.36
4.0.37
4.0.38
5.*
5.0.0
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.0.7
5.0.8
5.0.9
5.0.10
5.0.11
5.0.12
5.0.13
5.0.14
5.0.15
5.0.16
5.0.17
5.0.18
5.0.19
5.0.20
5.0.21
5.0.22
5.0.23
5.0.24
5.0.25
5.0.26
5.0.27
5.0.28
5.0.29
5.0.30
5.0.31
5.0.32
5.0.33
5.0.34
5.0.35
5.0.36
5.0.37
5.0.38
5.0.39
5.0.40
5.0.41
5.0.42
5.0.43
5.0.44
5.0.45
5.0.46
5.0.47
5.0.48
5.0.49
5.0.50