CVE-2025-43736 PUBLISHED

Assigner: Liferay
Reserved: 17.04.2025 Published: 12.08.2025 Updated: 12.08.2025

A Denial Of Service via File Upload (DOS) vulnerability in the Liferay Portal 7.4.3.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.8, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 allows a user to upload more than 300kb profile picture into the user profile. This size more than the noted max 300kb size. This extra amount of data can make Liferay slower.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/RE:L
CVSS Score: 6.9

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	None	Confidentiality	None
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	None	Availability	Low	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	Liferay
Product	Portal
Versions	Default: unaffected affected from 7.4.3.0 to 7.4.3.132 (incl.)

Vendor	Liferay
Product	DXP
Versions	Default: unaffected affected from 7.4.13 to 7.4.13-u92 (incl.) affected from 2024.Q1.1 to 2024.Q1.16 (incl.) affected from 2024Q2.0 to 2023.Q2.13 (incl.) affected from 2024.Q3.1 to 2024.Q3.13 (incl.) affected from 2024.Q4.0 to 2024.Q4.7 (incl.) affected from 2025.Q1.0 to 2025.Q1.8 (incl.)

Credits

Lorenzo Toti, Francesco Dalena, Simone Capparelli and the company DXC Technology reporter

References

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43736

Problem Types

CWE-770 Allocation of Resources Without Limits or Throttling CWE