CVE-2025-43736
Liferay Portal and Liferay DXP have a Denial Of Service via File Upload (DOS) vulnerability
EPSS 0.24%
Description
A Denial Of Service via File Upload (DOS) vulnerability in Liferay Portal 7.4.3.0 through 7.4.3.132, Liferay DXP 2025.Q1.0 through 2025.Q1.8, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 allows a user to upload a profile picture of more than 300kb into a user profile. This size is more than the noted max 300kb size. This extra data can significantly slow down the Liferay service.
How to fix CVE-2025-43736
To remediate CVE-2025-43736, upgrade the affected package to a fixed version below.
- —upgrade to 2.0.138 or later
- —upgrade to 13.10.0 or later
- —upgrade to 5.0.56 or later
- —upgrade to 11.0.27 or later
- —upgrade to 2025.Q1.9 or later
- —no fix listed
Is CVE-2025-43736 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (6)
- from 0, < 2.0.138
- from 0, < 13.10.0
- from 0, < 5.0.56
- from 0, < 11.0.27
- >= 2025.Q1.0, < 2025.Q1.9
- >= 7.4.3.0, <= 7.4.3.132
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/RE:L |