CVE-2025-43749 is a medium-severity vulnerability affecting multiple versions of Liferay Portal and Liferay DXP, specifically versions 7.4.0 through 7.4.3.132 and various quarterly releases of Liferay DXP from 2024.Q1.1 through 2025.Q1.1. The vulnerability is classified under CWE-552, which concerns files or directories accessible to external parties. The core issue is that unauthenticated users (guests) can access files uploaded via forms and stored in the document_library directory through direct URL access. This means that sensitive or confidential documents uploaded to the portal may be exposed to any external party without requiring authentication or authorization. The vulnerability arises due to insufficient access control on the document_library storage, allowing public URL access to files that should otherwise be protected. The CVSS 4.0 base score is 5.3 (medium), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:P), and limited confidentiality impact (VC:L). There is no known exploit in the wild as of the publication date, and no official patch links have been provided yet. This vulnerability can lead to unauthorized disclosure of sensitive information stored in the portal's document library, potentially compromising confidentiality and privacy of organizations using Liferay Portal for content management and collaboration.

For European organizations using Liferay Portal or Liferay DXP, this vulnerability poses a risk of unauthorized data exposure. Many enterprises, government agencies, and educational institutions in Europe rely on Liferay for intranet portals, document management, and collaboration platforms. Exposure of sensitive documents could lead to data breaches involving personal data, intellectual property, or confidential business information, potentially violating GDPR and other data protection regulations. The impact includes reputational damage, regulatory fines, and loss of trust from customers and partners. Since the vulnerability allows unauthenticated access, attackers do not need credentials or insider access, increasing the risk of opportunistic data scraping or targeted reconnaissance. However, the impact is somewhat limited by the requirement that files must have been uploaded and stored in the document_library, so the exposure depends on the portal's usage patterns and document sensitivity. The medium severity reflects that while confidentiality is affected, integrity and availability are not directly impacted. European organizations with extensive use of Liferay for document storage and public-facing portals are at higher risk.

Organizations should immediately review their Liferay Portal and DXP deployments to identify if they are running affected versions. Until official patches are released, administrators should implement the following mitigations: 1) Restrict direct URL access to the document_library directory via web server configuration (e.g., using .htaccess or equivalent rules) to enforce authentication and authorization. 2) Audit and remove any sensitive files stored in the document_library that should not be publicly accessible. 3) Configure Liferay permissions to limit guest user access to uploaded documents and forms. 4) Monitor web server logs for unusual access patterns to document_library URLs to detect potential exploitation attempts. 5) Consider deploying a web application firewall (WAF) with rules to block unauthenticated requests to sensitive document paths. 6) Plan and prioritize upgrading to patched versions once available from Liferay. 7) Educate content uploaders on secure handling of sensitive documents and the risks of public exposure. These steps go beyond generic advice by focusing on access control enforcement at both application and web server layers and proactive monitoring.