CVE-2025-43736

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

A

Denial Of Service via File Upload (DOS) vulnerability in the Liferay Portal 7.4.3.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.8, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 allows a user to upload more than 300kb profile picture into the user profile. This size more than the noted max 300kb size. This extra amount of data can make Liferay slower.

References

Link	Resource
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43736	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:liferay:digital_experience_platform::::::::
	cpe:2.3:a:liferay:digital_experience_platform::::::::
	cpe:2.3:a:liferay:digital_experience_platform::::::::
	cpe:2.3:a:liferay:digital_experience_platform::::::::
	cpe:2.3:a:liferay:digital_experience_platform::::::::
	cpe:2.3:a:liferay:digital_experience_platform:7.4:::::::*
	cpe:2.3:a:liferay:liferay_portal::::::::

History

16 Dec 2025, 16:51

Type	Values Removed	Values Added
First Time		Liferay digital Experience Platform Liferay Liferay liferay Portal
References	~~() https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43736 -~~	() https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43736 - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.3
CPE		cpe:2.3:a:liferay:liferay_portal:::::::: cpe:2.3:a:liferay:digital_experience_platform:::::::: cpe:2.3:a:liferay:digital_experience_platform:7.4:::::::*

12 Aug 2025, 14:25

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-12 11:15

Updated : 2025-12-16 16:51

NVD link : CVE-2025-43736

Mitre link : CVE-2025-43736

CVE.ORG link : CVE-2025-43736

JSON object : View

Products Affected

CWE

CWE-770

Allocation of Resources Without Limits or Throttling

{"id": "CVE-2025-43736", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:L/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "LOW", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-08-12T11:15:26.273", "references": [{"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43736", "tags": ["Vendor Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-770"}]}], "descriptions": [{"lang": "en", "value": "A Denial Of Service via File Upload (DOS) vulnerability in the Liferay Portal 7.4.3.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.8, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 allows a user to upload more than 300kb profile picture into the user profile. This size more than the noted max 300kb size. This extra amount of data can make Liferay slower."}, {"lang": "es", "value": "Una vulnerabilidad de denegaci\u00f3n de servicio mediante carga de archivos (DOS) en Liferay Portal (versiones 7.4.3.0 a 7.4.3.132) y Liferay DXP (versiones 2025.Q1.0 a 2025.Q1.8, 2024.Q4.0 a 2024.Q4.7, 2024.Q3.0 a 2024.Q3.13, 2024.Q2.0 a 2024.Q2.13, 2024.Q1.1 a 2024.Q1.16) y 7.4 GA (actualizaci\u00f3n 92) permite a un usuario cargar una imagen de perfil de m\u00e1s de 300 kb. Este tama\u00f1o supera el m\u00e1ximo indicado de 300 kb. Esta cantidad adicional de datos puede ralentizar Liferay."}], "lastModified": "2025-12-16T16:51:50.980", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BEA426A3-F949-42E3-8595-A490B6B9F7F7", "versionEndIncluding": "2024.q1.16", "versionStartIncluding": "2024.q1.1"}, {"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6D947DFA-C2BB-4B5C-93CF-505525176039", "versionEndIncluding": "2024.Q2.13", "versionStartIncluding": "2024.Q2.1"}, {"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "81DE8039-B5BF-4747-A426-DCA1FFC8D960", "versionEndIncluding": "2024.q3.13", "versionStartIncluding": "2024.q3.1"}, {"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FB83F0DC-CD4C-4C2F-AEB5-98ABB73428A1", "versionEndIncluding": "2024.q4.7", "versionStartIncluding": "2024.q4.0"}, {"criteria": "cpe:2.3:a:liferay:digital_experience_platform:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "86F10928-D404-4D6C-9157-E5D9B80E546D", "versionEndIncluding": "2025.q1.8", "versionStartIncluding": "2025.q1.0"}, {"criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8E19E344-92B4-4B46-BD89-25EC7191972C"}, {"criteria": "cpe:2.3:a:liferay:liferay_portal:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "28B52E28-FA0F-400D-BDE5-4BB270D47122", "versionEndIncluding": "7.4.3.132", "versionStartIncluding": "7.4.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}