CVE-2025-43736: 
Java vulnerability analysis and mitigation

A Denial of Service via File Upload (DOS) vulnerability has been identified in Liferay Portal and Liferay DXP, tracked as CVE-2025-43736. The vulnerability was discovered on April 28, 2025, and affects multiple versions of Liferay Portal (7.4.3.0 through 7.4.3.132) and Liferay DXP across various releases (2025.Q1.0 through 2025.Q1.8, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16, and 7.4 GA through update 92). The vulnerability was reported by Lorenzo Toti, Francesco Dalena, Simone Capparelli, and DXC Technology (Liferay Advisory).

The vulnerability allows users to upload profile pictures larger than the specified maximum size limit of 300kb into their user profiles. This bypass of size restrictions is related to the CWE-770 (Allocation of Resources Without Limits or Throttling) weakness. The vulnerability has been assigned a CVSS v4.0 score of 6.9 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/RE:L (Liferay Advisory, NVD).

The exploitation of this vulnerability can result in degraded system performance as the extra amount of data from oversized profile pictures can make Liferay slower, potentially affecting the overall system responsiveness (Liferay Advisory).

The vulnerability has been fixed in multiple versions including Liferay Portal on master branch, Liferay DXP 2025.Q2.0, Liferay DXP 2025.Q1.9, and Liferay DXP 2024.Q1.17. Organizations are advised to upgrade to these fixed versions to mitigate the vulnerability (Liferay Advisory).

The French national cybersecurity agency (CERT-FR) has issued an advisory (CERTFR-2025-AVI-0675) regarding this vulnerability, highlighting its potential impact on organizations using affected Liferay versions (CERT-FR).