CVE-2025-43736: 
Java vulnerability analysis and mitigation

A Denial of Service via File Upload (DOS) vulnerability was discovered in Liferay Portal and DXP, identified as CVE-2025-43736. The vulnerability was disclosed on August 12, 2025, affecting multiple versions including Liferay Portal 7.4.3.0 through 7.4.3.132, and various Liferay DXP versions from 2024.Q1 through 2025.Q1 releases. The issue was reported by Lorenzo Toti, Francesco Dalena, Simone Capparelli and the company DXC Technology (Liferay Advisory).

The vulnerability allows users to upload profile pictures exceeding the maximum specified size limit of 300kb. This vulnerability has been assigned a CVSS v4.0 base score of 6.9 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/RE:L. The weakness has been categorized as CWE-770 (Allocation of Resources Without Limits or Throttling) (NVD).

The exploitation of this vulnerability can result in system performance degradation as the upload of oversized profile pictures can make Liferay slower. This creates a potential denial of service condition affecting the system's performance (Liferay Advisory).

Fixed versions have been released to address this vulnerability. Organizations should upgrade to Liferay Portal fixed on master branch, Liferay DXP 2025.Q2.0, Liferay DXP 2025.Q1.9, or Liferay DXP 2024.Q1.17 (Liferay Advisory).