CVE-2025-43762 is a medium severity vulnerability affecting multiple versions of Liferay Portal and Liferay DXP, specifically versions 7.4.0 through 7.4.3.132 and various 2024 and 2025 quarterly releases of Liferay DXP. The vulnerability is classified under CWE-770, which pertains to the allocation of resources without limits or throttling. In this case, the issue arises from the ability of users to upload an unlimited number of files through forms in the portal. These files are stored in the document_library component without any enforced restrictions on quantity or size. This lack of throttling can be exploited by an attacker to perform a denial-of-service (DoS) or distributed denial-of-service (DDoS) attack by overwhelming the system's storage and processing resources. The vulnerability does not require authentication (PR:N), but does require user interaction (UI:P), meaning an attacker must submit files through the portal's upload forms. The attack vector is network-based (AV:N), and the attack complexity is low (AC:L), indicating that exploitation is relatively straightforward once the portal is accessible. The impact primarily affects availability, with limited impact on confidentiality and integrity. There are no known exploits in the wild as of the published date, and no patches have been linked yet. The vulnerability affects the core document management functionality of Liferay Portal, a widely used enterprise web platform for building portals, intranets, and websites, often deployed in corporate and government environments.

For European organizations using Liferay Portal or Liferay DXP, this vulnerability poses a risk of service disruption due to resource exhaustion. An attacker could upload excessive files, filling storage and potentially degrading or crashing the portal service, impacting business continuity and user access. This could affect internal collaboration platforms, customer-facing portals, or any critical web services relying on Liferay. The disruption could lead to operational downtime, loss of productivity, and reputational damage. While the vulnerability does not directly expose sensitive data, the denial-of-service impact could indirectly affect confidentiality if emergency response systems or secure communications are interrupted. Organizations in sectors such as finance, government, healthcare, and telecommunications, which often use Liferay for their portals, could face significant operational risks. Additionally, the ease of exploitation and lack of authentication requirements increase the threat level, especially for publicly accessible portals.

European organizations should implement strict upload controls on Liferay Portal forms, including limiting the number of files per user/session and enforcing maximum file size restrictions. Administrators should monitor storage usage and set alerts for unusual spikes in document_library size. Implementing web application firewalls (WAF) with rate-limiting rules targeting file upload endpoints can help mitigate abuse. Access controls should be reviewed to restrict upload capabilities to trusted users where possible. Since no official patches are currently linked, organizations should engage with Liferay support for interim fixes or workarounds. Regular backups of portal data and robust incident response plans will help recover quickly from potential attacks. Additionally, logging and monitoring upload activities can aid in early detection of exploitation attempts. Network segmentation and limiting exposure of the portal to only necessary user groups can reduce attack surface. Finally, educating users about the risk and monitoring for suspicious upload behavior is recommended.