CVE-2025-43772 is a high-severity vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) affecting multiple versions of Liferay Portal, specifically versions 7.0.0 through 7.4.3.4 and Liferay DXP 7.4 GA, 7.3 GA through update 27, as well as older unsupported versions. The vulnerability resides in the Kaleo Forms Admin component of Liferay Portal, where the application does not properly restrict the saving of request parameters within the portlet session. This flaw allows remote attackers to craft HTTP requests that cause excessive consumption of system memory by storing large or numerous parameters in the session. As a result, the system's memory resources can be exhausted, leading to denial-of-service (DoS) conditions. The vulnerability can be exploited remotely without authentication or user interaction, making it easier for attackers to launch attacks at scale. The CVSS 4.0 base score is 7.1, reflecting a high severity due to the ease of exploitation (network vector, low attack complexity, no privileges or user interaction required) and the significant impact on system availability. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability affects the availability of the Liferay Portal service by potentially crashing or severely degrading the performance of the affected systems through memory exhaustion. This can disrupt business operations relying on Liferay Portal for web content management, collaboration, and enterprise portal services.

For European organizations using Liferay Portal, this vulnerability poses a significant risk to the availability of critical web portals and enterprise applications. Liferay Portal is widely used in sectors such as government, education, healthcare, and large enterprises across Europe for intranet and extranet portals, digital experience platforms, and content management. Exploitation could lead to service outages, impacting user access to essential services and internal workflows. This is particularly critical for public sector organizations and financial institutions where portal availability is crucial for citizen services and customer interactions. Additionally, prolonged denial-of-service conditions could result in reputational damage, regulatory scrutiny under GDPR for service disruptions, and financial losses due to downtime. The lack of authentication requirements for exploitation increases the risk of automated attacks from external threat actors. European organizations with limited incident response capabilities or those running unsupported Liferay versions are at higher risk. The vulnerability also raises concerns about potential cascading effects if the portal is integrated with other internal systems or used as a gateway for further attacks.

1. Immediate mitigation should focus on monitoring and limiting the size and number of request parameters accepted by the Kaleo Forms Admin portlet to prevent excessive session data storage. Implement web application firewall (WAF) rules to detect and block suspicious HTTP requests with abnormally large or numerous parameters targeting the affected endpoints. 2. Restrict access to the Kaleo Forms Admin interface to trusted internal networks or authenticated users where possible, reducing the attack surface. 3. Apply rate limiting on incoming requests to the portal to mitigate automated exploitation attempts. 4. Conduct thorough input validation and session management audits to identify and remediate similar uncontrolled resource consumption issues. 5. Stay alert for official patches or updates from Liferay and plan prompt deployment once available. 6. Implement robust monitoring of system memory usage and application performance metrics to detect early signs of exploitation attempts. 7. For organizations unable to immediately patch, consider temporary disabling or restricting the Kaleo Forms Admin functionality if it is not critical to operations. 8. Engage in regular security assessments and penetration testing focused on session management and resource consumption vulnerabilities.