CVE-2025-43764 — Liferay Portal ReDoS with Role Name search in KaleoDesignerPortlet

Description

Self-ReDoS (Regular expression Denial of Service) exists with Role Name search field of Kaleo Designer portlet JavaScript in Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.1, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.20 and 7.4 GA through update 92, which allows authenticated users with permissions to update Kaleo Workflows to enter a malicious Regex pattern causing their browser to hang for a very long time.

How to fix CVE-2025-43764

To remediate CVE-2025-43764, upgrade the affected package to a fixed version below.

—upgrade to 5.0.145 or later

Is CVE-2025-43764 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 5.0.145

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:H/SC:L/SI:L/SA:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-43764
WEBgithub.com/liferay/liferay-portal
WEBgithub.com/liferay/liferay-portal/commit/12a076172494707748325836b3d5236507be0490
WEBliferay.atlassian.net/browse/LPE-18148