CVE-2025-43801 is a medium severity vulnerability identified in Liferay Portal versions 7.4.0 through 7.4.3.111, various Liferay DXP 2023 releases, and older unsupported versions. The vulnerability is classified under CWE-606, which refers to unchecked input for loop conditions. Specifically, this flaw exists in the XML-RPC component of Liferay Portal, where user-supplied input is not properly validated before being used as a loop condition. An attacker can craft a malicious XML-RPC request that causes the application to enter an excessive or infinite loop, leading to resource exhaustion and ultimately a denial-of-service (DoS) condition. The vulnerability requires no authentication or user interaction and can be exploited remotely over the network. The CVSS 4.0 base score is 6.9, reflecting a medium severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The impact is primarily on availability (VA:L), with no impact on confidentiality or integrity. No known exploits are currently reported in the wild, and no official patches are linked yet. The vulnerability affects multiple actively supported and older unsupported Liferay Portal and DXP versions, which are widely used enterprise web portals and content management systems. The unchecked loop condition in XML-RPC processing can be triggered remotely, making it a significant risk for organizations relying on Liferay for web services and portal functionality.

For European organizations, the impact of CVE-2025-43801 can be substantial, especially for those using Liferay Portal or DXP as a critical component of their web infrastructure. A successful exploitation can cause denial-of-service, leading to service outages, degraded user experience, and potential disruption of business operations. This can affect public sector portals, financial institutions, healthcare providers, and large enterprises that depend on Liferay for internal and external web services. The DoS condition could also be leveraged as part of a larger attack campaign to distract or disrupt defenses. Although the vulnerability does not directly compromise data confidentiality or integrity, the availability impact can result in reputational damage, regulatory scrutiny under GDPR if service disruptions affect personal data processing, and financial losses due to downtime. The remote and unauthenticated nature of the exploit increases the risk profile, as attackers do not need insider access or user interaction to trigger the vulnerability.

1. Immediate mitigation should focus on restricting access to the XML-RPC interface, such as implementing network-level controls (firewalls, IP whitelisting) to limit exposure only to trusted sources. 2. Deploy Web Application Firewalls (WAFs) with custom rules to detect and block suspicious XML-RPC requests that contain abnormal loop conditions or excessive payload sizes. 3. Monitor application logs and network traffic for unusual XML-RPC activity indicative of exploitation attempts. 4. Engage with Liferay support or community channels to obtain official patches or updates as soon as they become available and prioritize their deployment. 5. If patching is delayed, consider disabling XML-RPC functionality temporarily if it is not critical to business operations. 6. Conduct thorough testing of Liferay Portal instances to identify any custom integrations or plugins that might exacerbate the vulnerability or complicate mitigation. 7. Educate security and IT teams about this vulnerability to ensure rapid incident response if exploitation attempts are detected.