Primary

Context

Liferay Portal and DXP File Upload Vulnerability Allowing Extension Obfuscation and MIME Type Bypass

Vulnerability

Patched

A vulnerability exists in Liferay Portal versions 7.4.0 to 7.4.3.132 and in Liferay DXP across several 2024 and 2025 releases, as well as in Liferay DXP 7.4. This vulnerability allows remote unauthenticated users (guests) to upload files through the form attachment field without adequate validation. This lack of proper checks enables users to obfuscate file extensions and bypass MIME type restrictions.

Impact

Exploitation of this vulnerability could lead to unauthorized file uploads that circumvent standard MIME type validations, potentially allowing malicious files to be uploaded and executed or processed inappropriately.

Remediation

Users can upgrade to Liferay Portal's master branch or Liferay DXP 2025.Q2.0 or 2025.Q1.2 to address this vulnerability.

Added: Aug 20, 2025, 1:20 PM

Updated: Aug 20, 2025, 3:03 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

7.4

remediation

7.7

relevance

0.4

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

7.4

remediation

7.7

relevance

0.4

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Liferay Portal and DXP File Upload Vulnerability Allowing Extension Obfuscation and MIME Type Bypass

Vulnerability

Impact

Remediation

Affected Products

Liferay Portal

Liferay DXP

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating