CVE-2025-43752 is a medium severity vulnerability affecting multiple versions of Liferay Portal and Liferay DXP, specifically versions 7.4.0 through 7.4.3.132 and various 2024 and 2025 quarterly releases. The vulnerability is classified under CWE-770, which involves the allocation of resources without proper limits or throttling. In this case, the issue arises from the object entries attachment fields in Liferay Portal, which allow users to upload an unlimited number of files. These files are stored in the document_library component of the system. Because there is no restriction on the quantity or size of files uploaded, an attacker can exploit this flaw to consume excessive storage and processing resources, potentially leading to a denial-of-service (DoS) condition or distributed denial-of-service (DDoS) if exploited at scale. The vulnerability does not require authentication but does require user interaction (uploading files). The CVSS 4.0 base score is 5.3, reflecting a medium severity level, with network attack vector, low attack complexity, no privileges required, and user interaction needed. The impact primarily affects availability and integrity, as resource exhaustion can degrade or disrupt service. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability is significant because Liferay Portal is widely used as an enterprise web platform for building portals, intranets, and websites, often handling critical business content and workflows.

For European organizations using Liferay Portal or Liferay DXP, this vulnerability poses a risk of service disruption through resource exhaustion attacks. An attacker could upload large volumes of files to the portal, filling storage and potentially degrading system performance or causing outages. This could interrupt business operations, especially for organizations relying on Liferay for customer-facing portals, internal collaboration, or content management. The impact is particularly critical for sectors with high availability requirements such as finance, government, healthcare, and telecommunications. Additionally, the disruption could lead to reputational damage and potential regulatory scrutiny under GDPR if service outages affect data availability or processing. Since no authentication is required, external attackers or malicious insiders could exploit this vulnerability with relative ease. The lack of throttling or limits on file uploads increases the risk of automated or scripted attacks causing denial-of-service conditions.

European organizations should implement immediate compensating controls to mitigate this vulnerability until an official patch is released. These include: 1) Configuring web application firewalls (WAFs) or reverse proxies to limit the number and size of file uploads per user or IP address, effectively throttling upload requests. 2) Implementing rate limiting and upload quotas at the application or infrastructure level to prevent excessive resource consumption. 3) Monitoring and alerting on unusual spikes in file upload activity or storage usage within the document_library repository. 4) Restricting upload permissions to trusted users only, if feasible, to reduce exposure. 5) Conducting regular audits of uploaded files to detect and remove excessive or malicious content. 6) Isolating the document_library storage on dedicated volumes with capacity alerts to prevent system-wide impact. 7) Keeping Liferay Portal instances updated and closely monitoring vendor advisories for patches addressing this vulnerability. 8) Employing network segmentation to limit access to the portal from untrusted networks. These measures go beyond generic advice by focusing on practical controls tailored to the specific resource exhaustion vector of this vulnerability.