CVE-2025-43764
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-23

Last updated on: 2025-12-12

Assigner: Liferay Inc.

Description
Self-ReDoS (Regular expression Denial of Service) exists with Role Name search field of Kaleo Designer portlet JavaScript in Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.1, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.20 and 7.4 GA through update 92, which allows authenticated users with permissions to update Kaleo Workflows to enter a malicious Regex pattern causing their browser to hang for a very long time.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-23
Last Modified
2025-12-12
Generated
2026-06-16
AI Q&A
2025-08-23
EPSS Evaluated
2026-06-15
NVD
CVE-2025-43764
Affected Vendors & Products
Showing 98 associated CPEs
Vendor Product Version / Range
liferay digital_experience_platform From 2024.Q1.1 (inc) to 2024.Q1.20 (inc)
liferay digital_experience_platform From 2024.q2.0 (inc) to 2024.q2.13 (inc)
liferay digital_experience_platform From 2024.q3.1 (inc) to 2024.q3.13 (inc)
liferay digital_experience_platform From 2024.Q4.0 (inc) to 2024.Q4.2 (exc)
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay digital_experience_platform 7.4
liferay liferay_portal From 7.4.0 (inc) to 7.4.3.132 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1333 The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-43764 is a Regular Expression Denial of Service (ReDoS) vulnerability in the Role Name search field of the Kaleo Designer portlet's JavaScript in Liferay Portal and Liferay DXP. Authenticated users with permissions to update Kaleo Workflows can input a malicious regular expression pattern that causes their browser to hang for a long time, effectively causing a denial of service. [1]

Impact Analysis

This vulnerability can cause the browser of an authenticated user with workflow update permissions to hang or become unresponsive for an extended period when processing a malicious regular expression. This results in a denial of service, potentially disrupting workflow updates and user productivity. [1]

Detection Guidance

Detection involves verifying if your Liferay Portal or Liferay DXP installation is within the affected versions and if users with permissions to update Kaleo Workflows have input malicious regex patterns in the Role Name search field of the Kaleo Designer portlet. Since the vulnerability causes the browser to hang when processing malicious regex, monitoring for unusual browser hangs or performance degradation during Role Name searches can be indicative. There are no specific commands provided to detect this vulnerability directly. [1]

Mitigation Strategies

Immediate mitigation steps include upgrading your Liferay Portal or Liferay DXP to the fixed versions: Liferay Portal 7.4.3.132, Liferay DXP 2024.Q4.2, or Liferay DXP 2025.Q1.0. Additionally, restrict permissions to update Kaleo Workflows to trusted users only, and monitor or audit inputs to the Role Name search field to prevent malicious regex patterns from being entered. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-43764. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart