CVE-2025-43762 — Liferay Portal users can upload an unlimited amount of files

Description

Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.1, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allow users to upload an unlimited amount of files through the forms, the files are stored in the document_library allowing an attacker to cause a potential DDoS.

How to fix CVE-2025-43762

To remediate CVE-2025-43762, upgrade the affected package to a fixed version below.

—upgrade to 6.0.187 or later
—upgrade to 4.0.180 or later

Is CVE-2025-43762 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 6.0.187
from 0, < 4.0.180

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-43762
PATCHgithub.com/liferay/liferay-portal
WEBgithub.com/liferay/liferay-portal/commit/9d32b089f30a42c8fd2d30832b3c90eefb5afe84
WEBliferay.atlassian.net/browse/LPE-18177