CVE-2025-43813 is a path traversal vulnerability categorized under CWE-22, affecting multiple versions of Liferay Portal and Liferay DXP, including 7.4.0 through 7.4.3.107 and various 2023 Q3 and Q4 releases. The vulnerability resides in the ComboServlet, a component responsible for aggregating CSS and JavaScript resources. By manipulating the query string parameters in HTTP requests, an unauthenticated remote attacker can traverse directories and access arbitrary CSS and JavaScript files outside the intended resource directories. This unauthorized access could expose sensitive information embedded in these files or enable further attacks such as injecting malicious scripts. Additionally, the vulnerability allows attackers to repeatedly load these resources, potentially causing denial-of-service conditions by exhausting server resources or bandwidth. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, low complexity, no privileges or user interaction required, and limited impact on confidentiality and availability. No known exploits have been reported in the wild to date. The vulnerability affects a broad range of Liferay Portal versions, including some older unsupported releases, increasing the attack surface for organizations that have not maintained up-to-date software. The lack of vendor patches at the time of publication necessitates immediate attention to mitigate risks.

For European organizations, this vulnerability could lead to unauthorized disclosure of internal CSS and JavaScript files, which may contain sensitive configuration details or proprietary code, thereby impacting confidentiality. The ability to repeatedly load these resources can degrade service availability, potentially disrupting business operations reliant on Liferay Portal. Organizations in sectors such as government, finance, healthcare, and critical infrastructure that use Liferay Portal for web content management or intranet services are particularly at risk. Exploitation could facilitate further attacks like cross-site scripting (XSS) if malicious scripts are injected or leveraged. The broad range of affected versions means many organizations may be vulnerable, especially those with delayed patch management or using unsupported versions. The medium severity rating indicates a moderate but tangible risk that could escalate if combined with other vulnerabilities or attack vectors.

European organizations should immediately audit their Liferay Portal deployments to identify affected versions. Until official patches are released, implement strict input validation and sanitization on the ComboServlet query parameters to prevent directory traversal sequences (e.g., ../). Employ web application firewalls (WAFs) with custom rules to detect and block suspicious path traversal attempts targeting the ComboServlet. Restrict access to the ComboServlet endpoint to trusted internal networks or authenticated users where feasible. Monitor web server logs for unusual access patterns or repeated requests to CSS and JavaScript resources that could indicate exploitation attempts. Plan and prioritize upgrading to patched versions of Liferay Portal as soon as they become available. Additionally, conduct security awareness training for administrators to recognize signs of exploitation and maintain robust incident response capabilities. Consider isolating Liferay Portal instances in segmented network zones to limit potential lateral movement in case of compromise.