CVE-2025-43764 is a vulnerability classified under CWE-1333, which pertains to inefficient regular expression complexity leading to a Self-ReDoS (Regular expression Denial of Service) condition in the Liferay Portal product. Specifically, the issue exists in the Role Name search field of the Kaleo Designer portlet JavaScript component. The affected versions include Liferay Portal 7.4.0 through 7.4.3.131 and multiple versions of Liferay DXP from 2024.Q1.1 through 2024.Q4.1, including 7.4 GA through update 92. The vulnerability allows authenticated users who have permissions to update Kaleo Workflows to input malicious regular expression patterns. These patterns cause the user's browser to hang for an extended period due to excessive backtracking or inefficient regex evaluation, effectively resulting in a denial of service on the client side. The CVSS 4.0 base score is 6.9 (medium severity), reflecting a network attack vector with low complexity and no privileges required beyond those already granted to update workflows. The attack requires user interaction (the user must trigger the regex evaluation in their browser), and the impact primarily affects availability and integrity at a low to medium level. There are no known exploits in the wild at the time of publication, and no patches have been linked yet. The vulnerability is notable because it targets a legitimate feature (workflow role name search) and exploits inefficient regex handling in client-side JavaScript, which can degrade user experience and potentially disrupt business processes relying on workflow management within Liferay Portal.

For European organizations using Liferay Portal or Liferay DXP, this vulnerability could disrupt internal workflow management processes by causing browser hangs for users with permissions to update Kaleo Workflows. This can lead to productivity losses, delays in business operations, and potential denial of service for critical internal applications. Since the attack requires authenticated users with specific permissions, the risk is somewhat contained within trusted user groups; however, insider threats or compromised accounts could exploit this to degrade service availability. Additionally, if workflow updates are part of compliance or audit processes, disruption could indirectly impact regulatory adherence. The client-side nature of the hang means server infrastructure is not directly impacted, but user experience and operational continuity are at risk. European organizations in sectors with heavy reliance on Liferay Portal for intranet or customer-facing portals—such as government, finance, and large enterprises—may face operational challenges if this vulnerability is exploited.

1. Restrict permissions tightly: Limit the number of users who have permissions to update Kaleo Workflows to only those absolutely necessary, reducing the attack surface. 2. Input validation and sanitization: Implement server-side and client-side validation to detect and reject overly complex or malicious regular expressions before they are processed. 3. Update to patched versions: Monitor Liferay’s official channels for patches addressing this vulnerability and apply them promptly once available. 4. Monitor user activity: Implement logging and anomaly detection to identify unusual workflow update patterns or repeated failed regex evaluations that may indicate exploitation attempts. 5. Educate users: Train authorized users on the risks of entering complex regex patterns and encourage reporting of any browser performance issues during workflow updates. 6. Consider disabling or restricting the Role Name search field functionality temporarily if feasible until patches are applied, especially in high-risk environments. 7. Use browser or client-side resource limits: Employ browser extensions or policies that limit script execution time or resource consumption to mitigate hangs caused by malicious regex patterns.