CVE-2025-43736 – This CVE describes a Denial of Service vulnerab... (How to Fix)

Q: What is the severity of CVE-2025-43736?

CVE-2025-43736 has a CVSS score of 4.3 (MEDIUM). This CVE describes a Denial of Service vulnerability in Liferay Portal and DXP where authenticated users can upload profile pictures larger than the 300KB limit. The excessive data can degrade system performance, potentially making Liferay slower. Affected users include anyone running vulnerable versions of Liferay Portal 7.4.3.0-7.4.3.132 or Liferay DXP 2025.Q1.0-2025.Q1.8, 2024.Q4.0-2024.Q4.7, 2024.Q3.0-2024.Q3.13, 2024.Q2.0-2024.Q2.13, 2024.Q1.1-2024.Q1.16, and 7.4 GA through update 92.

📋 TL;DR

This CVE describes a Denial of Service vulnerability in Liferay Portal and DXP where authenticated users can upload profile pictures larger than the 300KB limit. The excessive data can degrade system performance, potentially making Liferay slower. Affected users include anyone running vulnerable versions of Liferay Portal 7.4.3.0-7.4.3.132 or Liferay DXP 2025.Q1.0-2025.Q1.8, 2024.Q4.0-2024.Q4.7, 2024.Q3.0-2024.Q3.13, 2024.Q2.0-2024.Q2.13, 2024.Q1.1-2024.Q1.16, and 7.4 GA through update 92.

💻 Affected Systems

Products:

Liferay Portal
Liferay DXP

Versions: Liferay Portal 7.4.3.0 through 7.4.3.132; Liferay DXP 2025.Q1.0 through 2025.Q1.8, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16, and 7.4 GA through update 92

Operating Systems: All supported OS for Liferay

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations of affected versions are vulnerable. Exploitation requires authenticated user access.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Multiple users repeatedly upload large profile pictures, consuming excessive storage and processing resources, leading to significant performance degradation or complete service unavailability.

🟠

Likely Case

Occasional large uploads cause temporary slowdowns in Liferay performance, particularly affecting user profile management functions.

🟢

If Mitigated

Minor performance impact with proper monitoring and quick response to any large upload attempts.

🌐 Internet-Facing: MEDIUM - Internet-facing instances are accessible to authenticated users who could exploit this, but exploitation requires user accounts.

🏢 Internal Only: MEDIUM - Internal users with accounts could degrade performance, but network segmentation limits external attack surface.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation is straightforward - any authenticated user can attempt to upload a profile picture larger than 300KB. No special tools or techniques required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Liferay Portal 7.4.3.133+, Liferay DXP 2025.Q1.9+, 2024.Q4.8+, 2024.Q3.14+, 2024.Q2.14+, 2024.Q1.17+, and 7.4 update 93+

Vendor Advisory: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43736

Restart Required: No

Instructions:

1. Download the appropriate fix pack from Liferay's customer portal. 2. Apply the fix pack according to Liferay's update documentation. 3. Verify the fix by testing profile picture uploads.

🔧 Temporary Workarounds

Implement file upload restrictions

all

Configure web server or application firewall to block profile picture uploads larger than 300KB

Monitor and alert on large uploads

all

Set up monitoring for file upload sizes in Liferay logs and create alerts for uploads exceeding 300KB

🧯 If You Can't Patch

Implement strict user access controls to limit who can upload profile pictures
Deploy a WAF with file upload size restrictions and monitor for violation attempts

🔍 How to Verify

Check if Vulnerable:

Check Liferay version via Control Panel → Configuration → Server Administration → System Information, or check liferay.home/version.txt

Check Version:

Check version via Control Panel or examine version.txt file in Liferay home directory

Verify Fix Applied:

Attempt to upload a profile picture larger than 300KB - it should be rejected with an error message

📡 Detection & Monitoring

Log Indicators:

Large file upload entries in Liferay logs
User profile update attempts with large files
System performance degradation logs

Network Indicators:

HTTP POST requests to /api/jsonws/user/update-user with large payloads
Increased bandwidth usage from user profile endpoints

SIEM Query:

source="liferay.log" AND ("upload" OR "profile picture") AND size>300000

📊 Metadata

CVE ID: CVE-2025-43736

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-770

EPSS Score: 0.23% exploit probability (45.3th percentile)

Published: August 12, 2025

Last Updated: December 16, 2025

🔗 References

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43736 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-43736, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Digital Experience Platform by Liferay

Digital Experience Platform by Liferay

Digital Experience Platform by Liferay

Digital Experience Platform by Liferay

Digital Experience Platform by Liferay

Digital Experience Platform by Liferay

Liferay Portal by Liferay

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Implement file upload restrictions

Monitor and alert on large uploads

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities