CVE-2025-43752 – This vulnerability in Liferay Portal and DXP al... (How to Fix)

Q: What is the severity of CVE-2025-43752?

CVE-2025-43752 has a CVSS score of 6.5 (MEDIUM). This vulnerability in Liferay Portal and DXP allows authenticated users to upload unlimited files through object entries attachment fields, which are stored in the document library. This can lead to a denial-of-service (DDoS) condition by exhausting storage resources. Affected systems include Liferay Portal 7.4.0-7.4.3.132 and multiple Liferay DXP versions from 2024.Q1 through 2025.Q1.

📋 TL;DR

This vulnerability in Liferay Portal and DXP allows authenticated users to upload unlimited files through object entries attachment fields, which are stored in the document library. This can lead to a denial-of-service (DDoS) condition by exhausting storage resources. Affected systems include Liferay Portal 7.4.0-7.4.3.132 and multiple Liferay DXP versions from 2024.Q1 through 2025.Q1.

💻 Affected Systems

Products:

Liferay Portal
Liferay DXP

Versions: Liferay Portal 7.4.0 through 7.4.3.132; Liferay DXP 2025.Q1.0 through 2025.Q1.4, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15, and 7.4 GA through update 92

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user access to object entries attachment fields functionality.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to storage exhaustion, potentially requiring restoration from backups and causing extended downtime.

🟠

Likely Case

Degraded performance, storage capacity issues, and potential service interruptions affecting user experience.

🟢

If Mitigated

Minimal impact with proper storage monitoring and rate limiting in place.

🌐 Internet-Facing: HIGH - Internet-facing Liferay instances are directly accessible to attackers who can authenticate.

🏢 Internal Only: MEDIUM - Internal systems are still vulnerable to insider threats or compromised accounts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authenticated access but is straightforward once authenticated. No special tools required beyond normal web access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply Liferay Portal 7.4.3.133 or later; Liferay DXP 2025.Q1.5 or later, 2024.Q4.8 or later, 2024.Q3.14 or later, 2024.Q2.14 or later, 2024.Q1.16 or later, or 7.4 update 93 or later

Vendor Advisory: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43752

Restart Required: No

Instructions:

1. Download the appropriate fix pack from Liferay Customer Portal. 2. Apply the fix pack according to Liferay's update documentation. 3. Verify the update was successful by checking version.

🔧 Temporary Workarounds

Implement file upload limits

all

Configure Liferay to limit file upload sizes and frequency through portal-ext.properties or system settings.

portal-ext.properties: dl.file.max.size=10485760
dl.file.max.per.user=100

Restrict object entries permissions

all

Limit which user roles can upload files to object entries attachment fields.

Navigate to Control Panel > Users > Roles > [Role] > Define Permissions > Object Entries

🧯 If You Can't Patch

Implement strict storage monitoring with alerts for unusual upload patterns
Apply network-level rate limiting for upload requests using WAF or load balancer

🔍 How to Verify

Check if Vulnerable:

Check Liferay version via Control Panel > Server Administration > Properties > liferay.version

Check Version:

Control Panel > Server Administration > Properties > liferay.version

Verify Fix Applied:

Verify version is updated to patched version and test file upload limits in object entries

📡 Detection & Monitoring

Log Indicators:

Unusually high frequency of file uploads in Liferay logs
Storage alerts from document library
Multiple large file uploads from single user

Network Indicators:

Spike in POST requests to /o/api/object-entries endpoints
Unusual upload traffic patterns

SIEM Query:

source="liferay" AND (message="*upload*" OR message="*attachment*") | stats count by user, src_ip

📊 Metadata

CVE ID: CVE-2025-43752

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

EPSS Score: 0.07% exploit probability (20th percentile)

Published: August 22, 2025

Last Updated: December 16, 2025

🔗 References

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43752 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-43752, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Digital Experience Platform by Liferay

Digital Experience Platform by Liferay

Digital Experience Platform by Liferay

Digital Experience Platform by Liferay

Digital Experience Platform by Liferay

Digital Experience Platform by Liferay

Liferay Portal by Liferay

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Implement file upload limits

Restrict object entries permissions

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities