Critical Vulnerability Information Vulnerability Identifier CVE ID: CVE-2025-4581 Vulnerability Description Type: Blind SSRF (Server-Side Request Forgery) Location: portal-settings-authentication-opensso-web Cause: Due to improper validation of user-supplied URLs, a blind SSRF vulnerability exists during the pre-authentication phase. Impact: Attackers can exploit this vulnerability to force the server to send arbitrary HTTP requests to internal systems, potentially leading to internal network enumeration or further exploitation. Severity CVSS Score: 5.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/Vl:N/VA:N/SC:L/Si:N/SA:N) Affected Versions Liferay Portal 7.4.0 to 7.4.3.132 Liferay DXP 2025.Q1.0 to 2025.Q1.4 Liferay DXP 2024.Q4.0 to 2024.Q4.7 Liferay DXP 2024.Q3.1 to 2024.Q3.13 Liferay DXP 2024.Q2.0 to 2024.Q2.13 Liferay DXP 2024.Q1.1 to 2024.Q1.15 Liferay DXP 7.4 GA to update 92 Fixed Versions Liferay Portal fixed in the master branch Liferay DXP 2025.Q2.0 Liferay DXP 2025.Q1.5 Liferay DXP 2024.Q1.16 Acknowledgments Reporters: Shubham Shah (CTO @ Assetnote) and Adam Kues (Security Researcher @ Assetnote) Disclosure Date: April 4, 2025, 16:24:00 +0000