CVE-2025-43736: CWE-770 Allocation of Resources Without Limits or Throttling in Liferay Portal
A Denial Of Service via File Upload (DOS) vulnerability in the Liferay Portal 7.4.3.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.8, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 allows a user to upload more than 300kb profile picture into the user profile. This size more than the noted max 300kb size. This extra amount of data can make Liferay slower.
AI Analysis
Technical Summary
CVE-2025-43736 is a medium severity Denial of Service (DoS) vulnerability affecting multiple versions of the Liferay Portal and Liferay DXP products, specifically versions 7.4.3.0 through 7.4.3.132 and various 2024 and 2025 quarterly releases. The vulnerability arises from improper resource allocation controls related to file uploads, specifically profile pictures. Although the system is designed to restrict profile picture uploads to a maximum size of 300 KB, this vulnerability allows users to upload files exceeding this limit. The excessive file size causes the Liferay Portal to consume disproportionate system resources, leading to performance degradation and potential service slowdown or denial of service. This issue is categorized under CWE-770, which refers to allocation of resources without limits or throttling, indicating that the application does not adequately constrain resource consumption during file upload processing. The CVSS 4.0 base score is 6.9, reflecting a medium severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and limited impact on availability (VA:L). No known exploits are currently reported in the wild, and no patches are linked yet, suggesting that mitigation may require vendor updates or configuration changes. The vulnerability can be exploited remotely without authentication or user interaction, making it accessible to unauthenticated attackers. The primary impact is on availability due to resource exhaustion, potentially causing service degradation or outages in affected Liferay Portal deployments.
Potential Impact
For European organizations using Liferay Portal or Liferay DXP, this vulnerability poses a risk of service disruption through denial of service attacks. Organizations relying on Liferay for critical intranet portals, customer-facing websites, or digital experience platforms may experience degraded performance or outages if attackers exploit this vulnerability by uploading oversized profile pictures. This can affect business continuity, user experience, and potentially lead to reputational damage. Since the vulnerability requires no authentication or user interaction, it can be exploited by external attackers or malicious insiders with minimal effort. The impact is particularly significant for organizations with high user volumes or those that allow open user registrations, as the attack surface for uploading profile pictures is larger. Additionally, sectors such as government, finance, healthcare, and large enterprises in Europe that use Liferay for internal or external portals may face operational disruptions. The lack of current known exploits provides some time for mitigation, but the broad version range affected means many deployments could be vulnerable if not updated or configured properly.
Mitigation Recommendations
1. Immediate mitigation should involve implementing strict file upload size validation and throttling at the application or web server level to enforce the 300 KB limit effectively. 2. Monitor and log file upload activities to detect abnormal upload sizes or volumes that could indicate exploitation attempts. 3. Apply network-level rate limiting and web application firewall (WAF) rules to restrict excessive upload requests from single IP addresses or user accounts. 4. Engage with Liferay support or vendor channels to obtain official patches or updates addressing this vulnerability as soon as they become available. 5. Review and harden user registration and profile update workflows to include additional validation and possibly CAPTCHA to reduce automated abuse. 6. Conduct regular performance monitoring of Liferay Portal instances to identify unusual resource consumption patterns early. 7. Consider isolating Liferay Portal instances behind load balancers or reverse proxies that can provide additional filtering and throttling capabilities. 8. Educate administrators and users about the vulnerability and encourage reporting of any unusual system behavior related to profile picture uploads.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Belgium, Poland, Ireland
CVE-2025-43736: CWE-770 Allocation of Resources Without Limits or Throttling in Liferay Portal
Description
A Denial Of Service via File Upload (DOS) vulnerability in the Liferay Portal 7.4.3.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.8, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 allows a user to upload more than 300kb profile picture into the user profile. This size more than the noted max 300kb size. This extra amount of data can make Liferay slower.
AI-Powered Analysis
Technical Analysis
CVE-2025-43736 is a medium severity Denial of Service (DoS) vulnerability affecting multiple versions of the Liferay Portal and Liferay DXP products, specifically versions 7.4.3.0 through 7.4.3.132 and various 2024 and 2025 quarterly releases. The vulnerability arises from improper resource allocation controls related to file uploads, specifically profile pictures. Although the system is designed to restrict profile picture uploads to a maximum size of 300 KB, this vulnerability allows users to upload files exceeding this limit. The excessive file size causes the Liferay Portal to consume disproportionate system resources, leading to performance degradation and potential service slowdown or denial of service. This issue is categorized under CWE-770, which refers to allocation of resources without limits or throttling, indicating that the application does not adequately constrain resource consumption during file upload processing. The CVSS 4.0 base score is 6.9, reflecting a medium severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and limited impact on availability (VA:L). No known exploits are currently reported in the wild, and no patches are linked yet, suggesting that mitigation may require vendor updates or configuration changes. The vulnerability can be exploited remotely without authentication or user interaction, making it accessible to unauthenticated attackers. The primary impact is on availability due to resource exhaustion, potentially causing service degradation or outages in affected Liferay Portal deployments.
Potential Impact
For European organizations using Liferay Portal or Liferay DXP, this vulnerability poses a risk of service disruption through denial of service attacks. Organizations relying on Liferay for critical intranet portals, customer-facing websites, or digital experience platforms may experience degraded performance or outages if attackers exploit this vulnerability by uploading oversized profile pictures. This can affect business continuity, user experience, and potentially lead to reputational damage. Since the vulnerability requires no authentication or user interaction, it can be exploited by external attackers or malicious insiders with minimal effort. The impact is particularly significant for organizations with high user volumes or those that allow open user registrations, as the attack surface for uploading profile pictures is larger. Additionally, sectors such as government, finance, healthcare, and large enterprises in Europe that use Liferay for internal or external portals may face operational disruptions. The lack of current known exploits provides some time for mitigation, but the broad version range affected means many deployments could be vulnerable if not updated or configured properly.
Mitigation Recommendations
1. Immediate mitigation should involve implementing strict file upload size validation and throttling at the application or web server level to enforce the 300 KB limit effectively. 2. Monitor and log file upload activities to detect abnormal upload sizes or volumes that could indicate exploitation attempts. 3. Apply network-level rate limiting and web application firewall (WAF) rules to restrict excessive upload requests from single IP addresses or user accounts. 4. Engage with Liferay support or vendor channels to obtain official patches or updates addressing this vulnerability as soon as they become available. 5. Review and harden user registration and profile update workflows to include additional validation and possibly CAPTCHA to reduce automated abuse. 6. Conduct regular performance monitoring of Liferay Portal instances to identify unusual resource consumption patterns early. 7. Consider isolating Liferay Portal instances behind load balancers or reverse proxies that can provide additional filtering and throttling capabilities. 8. Educate administrators and users about the vulnerability and encourage reporting of any unusual system behavior related to profile picture uploads.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Liferay
- Date Reserved
- 2025-04-17T10:55:20.337Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 689b22e1ad5a09ad003125a0
Added to database: 8/12/2025, 11:17:53 AM
Last enriched: 8/12/2025, 11:33:01 AM
Last updated: 8/19/2025, 12:34:30 AM
Views: 13
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.