CVE-2025-43762: 
Java vulnerability analysis and mitigation

A vulnerability has been identified in Liferay Portal and DXP versions affecting multiple releases from 7.4.0 through 2025.Q1.1. The vulnerability (CVE-2025-43762) allows users to upload an unlimited amount of files through forms, which are stored in the document library, potentially enabling attackers to cause denial of service conditions. The issue was disclosed on March 17, 2025, and received a CVSS v4.0 base score of 5.3 (Medium) (Liferay Advisory).

The vulnerability is classified as CWE-770 (Allocation of Resources Without Limits or Throttling). The issue stems from a lack of restrictions on file upload functionality in the forms feature, where files are stored in the document_library without proper limitations. The vulnerability has received a CVSS v4.0 vector string of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L, indicating network accessibility, low attack complexity, and passive user interaction requirements (NVD).

The primary impact of this vulnerability is the potential for denial of service (DoS) attacks through unrestricted file uploads. By exploiting this vulnerability, attackers can consume storage resources in the document library, potentially affecting system availability and performance (Liferay Advisory).

Fixed versions have been released to address this vulnerability. Organizations should upgrade to Liferay Portal master branch, Liferay DXP 2025.Q2.0, Liferay DXP 2025.Q1.2, or Liferay DXP 2024.Q1.15 to mitigate the issue (Liferay Advisory).