Headline
GHSA-c6g5-g6r7-q4j6: Liferay Portal and Liferay DXP vulnerable to Server-Side Request Forgery
An SSRF vulnerability in FreeMarker templates in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.5, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15, and 7.4 GA through update 92 allows template editors to bypass access validations via crafted URLs.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-4655
Liferay Portal and Liferay DXP vulnerable to Server-Side Request Forgery
Moderate severity GitHub Reviewed Published Aug 9, 2025 to the GitHub Advisory Database • Updated Aug 12, 2025
Package
maven com.liferay.portal:release.dxp.bom (Maven)
Affected versions
>= 2025.Q1.0, <= 2025.Q1.5
>= 2024.Q4.0, <= 2024.Q4.7
>= 2024.Q3.1, <= 2024.Q3.13
>= 2024.Q2.0, <= 2024.Q2.13
>= 2024.Q1.0, <= 2024.Q1.15
<= 7.4.13.u92
Patched versions
2025.Q1.6
2024.Q1.16
maven com.liferay.portal:release.portal.bom (Maven)
Published to the GitHub Advisory Database
Aug 9, 2025
Last updated
Aug 12, 2025