CVE-2025-43764 is a vulnerability classified under CWE-1333 (Inefficient Regular Expression Complexity) affecting Liferay Portal versions 7.4.0 through 7.4.3.131 and multiple Liferay DXP 2024 quarterly releases. The issue resides in the Kaleo Designer portlet's Role Name search field JavaScript component, where authenticated users with permissions to update Kaleo Workflows can input malicious regular expression patterns. These patterns cause a Self-ReDoS (Regular Expression Denial of Service) condition, leading to excessive CPU consumption in the user's browser, effectively hanging or severely degrading browser responsiveness. This vulnerability requires the attacker to be authenticated and have specific workflow update permissions, limiting the attack surface to authorized users. The CVSS 4.0 base score is 6.9 (medium severity), reflecting network attack vector, low attack complexity, no privileges required beyond the workflow update permission, and partial impacts on confidentiality, integrity, and high impact on availability. The vulnerability does not appear to have known exploits in the wild yet, and no official patches have been linked at the time of publication. The root cause is inefficient handling of complex regular expressions in client-side JavaScript, which can be exploited to cause denial of service by resource exhaustion on the client side rather than server-side impact. This vulnerability is significant because it can disrupt workflow management activities and degrade user experience for authorized users, potentially impacting business operations relying on Liferay Portal's workflow capabilities.

For European organizations using Liferay Portal and Liferay DXP, this vulnerability poses a risk primarily to internal users with workflow update permissions. The impact is a denial of service condition affecting the availability of the Kaleo Designer portlet's Role Name search functionality, potentially disrupting workflow management and related business processes. While the attack requires authentication and specific permissions, insider threats or compromised accounts could exploit this to degrade productivity or cause operational delays. Since Liferay Portal is widely used in enterprise content management and digital experience platforms across Europe, organizations in sectors such as government, finance, education, and healthcare that rely on Liferay for workflow automation could experience interruptions. The vulnerability does not directly compromise confidentiality or integrity of data but can indirectly affect business continuity. The client-side nature of the attack means that server infrastructure is less impacted, but user workstation performance and usability are degraded. Given the medium severity and the need for authenticated access, the threat is moderate but should not be ignored, especially in environments with multiple privileged users and complex workflows.

1. Restrict permissions tightly: Limit the number of users who have permissions to update Kaleo Workflows to only those absolutely necessary. 2. Input validation and sanitization: Implement server-side and client-side validation to detect and reject overly complex or malicious regular expressions before they reach the JavaScript component. 3. Update Liferay Portal: Monitor Liferay's official security advisories and apply patches or updates as soon as they become available to address this vulnerability. 4. User training and monitoring: Educate privileged users about the risks of entering complex regex patterns and monitor workflow update activities for anomalous inputs. 5. Browser resource limits: Encourage use of browsers or browser configurations that limit script execution time or CPU usage per tab to reduce impact of ReDoS attacks. 6. Implement Web Application Firewall (WAF) rules: If possible, create rules to detect and block suspicious regex patterns or excessive input lengths targeting the Kaleo Designer portlet. 7. Incident response planning: Prepare to quickly identify and respond to denial of service conditions affecting workflow management to minimize operational disruption.