CVE-2025-43736
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-12

Last updated on: 2025-12-16

Assigner: Liferay Inc.

Description
A Denial Of Service via File Upload (DOS) vulnerability in the Liferay Portal 7.4.3.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.8, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 allows a user to upload more than 300kb profile picture into the user profile. This size more than the noted max 300kb size. This extra amount of data can make Liferay slower.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-12
Last Modified
2025-12-16
Generated
2026-05-07
AI Q&A
2025-08-12
EPSS Evaluated
2026-05-05
NVD
CVE-2025-43736
EUVD
EUVD-2025-24251
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
liferay digital_experience_platform From 2024.q1.1 (inc) to 2024.q1.16 (inc)
liferay digital_experience_platform From 2024.Q2.1 (inc) to 2024.Q2.13 (inc)
liferay digital_experience_platform From 2024.q3.1 (inc) to 2024.q3.13 (inc)
liferay digital_experience_platform From 2024.q4.0 (inc) to 2024.q4.7 (inc)
liferay digital_experience_platform From 2025.q1.0 (inc) to 2025.q1.8 (inc)
liferay digital_experience_platform 7.4
liferay liferay_portal From 7.4.3.0 (inc) to 7.4.3.132 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-43736 is a Denial of Service (DoS) vulnerability in Liferay Portal and Liferay DXP that occurs when users upload profile pictures larger than the intended maximum size of 300 KB. This bypass of the size restriction allows larger-than-allowed images, which can degrade system performance and slow down the Liferay platform. [1]


How can this vulnerability impact me? :

This vulnerability can impact you by causing the Liferay system to slow down due to processing profile pictures that exceed the allowed size limit. This degradation in performance can affect the availability and responsiveness of the platform, potentially disrupting normal operations. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring user profile picture uploads to identify images exceeding the 300 KB size limit. You can check the size of uploaded profile pictures in the Liferay system storage or database. For example, if profile pictures are stored in a directory, you can use commands like 'find /path/to/profile_pictures -type f -size +300k' on the server to list files larger than 300 KB. Additionally, reviewing application logs for upload events or implementing custom logging to capture oversized uploads can help detect exploitation attempts. [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include upgrading Liferay Portal and Liferay DXP to versions where the fix has been implemented, specifically Liferay Portal master branch or Liferay DXP versions 2025.Q2.0, 2025.Q1.9, and 2024.Q1.17. Until an upgrade is possible, you can enforce file size restrictions on profile picture uploads at the application or web server level to block images larger than 300 KB. Monitoring and alerting on large file uploads can also help mitigate the impact. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart