Skip to main content

CVE-2025-43736: CWE-770 Allocation of Resources Without Limits or Throttling in Liferay Portal

Medium
VulnerabilityCVE-2025-43736cvecve-2025-43736cwe-770
Published: Tue Aug 12 2025 (08/12/2025, 11:01:11 UTC)
Source: CVE Database V5
Vendor/Project: Liferay
Product: Portal

Description

A Denial Of Service via File Upload (DOS) vulnerability in the Liferay Portal 7.4.3.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.8, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 allows a user to upload more than 300kb profile picture into the user profile. This size more than the noted max 300kb size. This extra amount of data can make Liferay slower.

AI-Powered Analysis

AILast updated: 08/12/2025, 11:33:01 UTC

Technical Analysis

CVE-2025-43736 is a medium severity Denial of Service (DoS) vulnerability affecting multiple versions of the Liferay Portal and Liferay DXP products, specifically versions 7.4.3.0 through 7.4.3.132 and various 2024 and 2025 quarterly releases. The vulnerability arises from improper resource allocation controls related to file uploads, specifically profile pictures. Although the system is designed to restrict profile picture uploads to a maximum size of 300 KB, this vulnerability allows users to upload files exceeding this limit. The excessive file size causes the Liferay Portal to consume disproportionate system resources, leading to performance degradation and potential service slowdown or denial of service. This issue is categorized under CWE-770, which refers to allocation of resources without limits or throttling, indicating that the application does not adequately constrain resource consumption during file upload processing. The CVSS 4.0 base score is 6.9, reflecting a medium severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and limited impact on availability (VA:L). No known exploits are currently reported in the wild, and no patches are linked yet, suggesting that mitigation may require vendor updates or configuration changes. The vulnerability can be exploited remotely without authentication or user interaction, making it accessible to unauthenticated attackers. The primary impact is on availability due to resource exhaustion, potentially causing service degradation or outages in affected Liferay Portal deployments.

Potential Impact

For European organizations using Liferay Portal or Liferay DXP, this vulnerability poses a risk of service disruption through denial of service attacks. Organizations relying on Liferay for critical intranet portals, customer-facing websites, or digital experience platforms may experience degraded performance or outages if attackers exploit this vulnerability by uploading oversized profile pictures. This can affect business continuity, user experience, and potentially lead to reputational damage. Since the vulnerability requires no authentication or user interaction, it can be exploited by external attackers or malicious insiders with minimal effort. The impact is particularly significant for organizations with high user volumes or those that allow open user registrations, as the attack surface for uploading profile pictures is larger. Additionally, sectors such as government, finance, healthcare, and large enterprises in Europe that use Liferay for internal or external portals may face operational disruptions. The lack of current known exploits provides some time for mitigation, but the broad version range affected means many deployments could be vulnerable if not updated or configured properly.

Mitigation Recommendations

1. Immediate mitigation should involve implementing strict file upload size validation and throttling at the application or web server level to enforce the 300 KB limit effectively. 2. Monitor and log file upload activities to detect abnormal upload sizes or volumes that could indicate exploitation attempts. 3. Apply network-level rate limiting and web application firewall (WAF) rules to restrict excessive upload requests from single IP addresses or user accounts. 4. Engage with Liferay support or vendor channels to obtain official patches or updates addressing this vulnerability as soon as they become available. 5. Review and harden user registration and profile update workflows to include additional validation and possibly CAPTCHA to reduce automated abuse. 6. Conduct regular performance monitoring of Liferay Portal instances to identify unusual resource consumption patterns early. 7. Consider isolating Liferay Portal instances behind load balancers or reverse proxies that can provide additional filtering and throttling capabilities. 8. Educate administrators and users about the vulnerability and encourage reporting of any unusual system behavior related to profile picture uploads.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Liferay
Date Reserved
2025-04-17T10:55:20.337Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 689b22e1ad5a09ad003125a0

Added to database: 8/12/2025, 11:17:53 AM

Last enriched: 8/12/2025, 11:33:01 AM

Last updated: 8/19/2025, 12:34:30 AM

Views: 13

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats