CVE-2025-43772 — Liferay Portal Vulnerable to Denial of Service in Kaleo Forms Admin

Description

Kaleo Forms Admin in Liferay Portal 7.0.0 through 7.4.3.4, and Liferay DXP 7.4 GA, 7.3 GA through update 27, and older unsupported versions does not restrict the saving of request parameters in the portlet session, which allows remote attackers to consume system memory leading to denial-of-service (DoS) conditions via crafted HTTP request.

How to fix CVE-2025-43772

To remediate CVE-2025-43772, upgrade the affected package to a fixed version below.

Maven/com.liferay:com.liferay.portal.workflow.kaleo.forms.web—upgrade to 5.0.29 or later

Is CVE-2025-43772 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 5.0.29

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-43772
PATCHgithub.com/liferay/liferay-portal
WEBgithub.com/liferay/liferay-portal/commit/566ba7b48d6e8c62e5da71c34bb56b87183bf503
WEBgithub.com/liferay/liferay-portal/commit/5d62db9d01005fc148297dad37f84660cd8b4a2b