CVE-2025-43736 is a medium severity Denial of Service (DoS) vulnerability affecting multiple versions of the Liferay Portal and Liferay DXP products, specifically versions 7.4.3.0 through 7.4.3.132 and various 2024 and 2025 quarterly releases. The vulnerability arises from improper resource allocation controls related to file uploads, specifically profile pictures. Although the system is designed to restrict profile picture uploads to a maximum size of 300 KB, this vulnerability allows users to upload files exceeding this limit. The excessive file size causes the Liferay Portal to consume disproportionate system resources, leading to performance degradation and potential service slowdown or denial of service. This issue is categorized under CWE-770, which refers to allocation of resources without limits or throttling, indicating that the application does not adequately constrain resource consumption during file upload processing. The CVSS 4.0 base score is 6.9, reflecting a medium severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and limited impact on availability (VA:L). No known exploits are currently reported in the wild, and no patches are linked yet, suggesting that mitigation may require vendor updates or configuration changes. The vulnerability can be exploited remotely without authentication or user interaction, making it accessible to unauthenticated attackers. The primary impact is on availability due to resource exhaustion, potentially causing service degradation or outages in affected Liferay Portal deployments.

For European organizations using Liferay Portal or Liferay DXP, this vulnerability poses a risk of service disruption through denial of service attacks. Organizations relying on Liferay for critical intranet portals, customer-facing websites, or digital experience platforms may experience degraded performance or outages if attackers exploit this vulnerability by uploading oversized profile pictures. This can affect business continuity, user experience, and potentially lead to reputational damage. Since the vulnerability requires no authentication or user interaction, it can be exploited by external attackers or malicious insiders with minimal effort. The impact is particularly significant for organizations with high user volumes or those that allow open user registrations, as the attack surface for uploading profile pictures is larger. Additionally, sectors such as government, finance, healthcare, and large enterprises in Europe that use Liferay for internal or external portals may face operational disruptions. The lack of current known exploits provides some time for mitigation, but the broad version range affected means many deployments could be vulnerable if not updated or configured properly.

1. Immediate mitigation should involve implementing strict file upload size validation and throttling at the application or web server level to enforce the 300 KB limit effectively. 2. Monitor and log file upload activities to detect abnormal upload sizes or volumes that could indicate exploitation attempts. 3. Apply network-level rate limiting and web application firewall (WAF) rules to restrict excessive upload requests from single IP addresses or user accounts. 4. Engage with Liferay support or vendor channels to obtain official patches or updates addressing this vulnerability as soon as they become available. 5. Review and harden user registration and profile update workflows to include additional validation and possibly CAPTCHA to reduce automated abuse. 6. Conduct regular performance monitoring of Liferay Portal instances to identify unusual resource consumption patterns early. 7. Consider isolating Liferay Portal instances behind load balancers or reverse proxies that can provide additional filtering and throttling capabilities. 8. Educate administrators and users about the vulnerability and encourage reporting of any unusual system behavior related to profile picture uploads.