CVE-2025-43816: 
Java vulnerability analysis and mitigation

A memory leak vulnerability (CVE-2025-43816) was discovered in the headless API for StructuredContents in Liferay Portal and Liferay DXP. The vulnerability affects Liferay Portal versions 7.4.0 through 7.4.3.119 and older unsupported versions, as well as Liferay DXP versions spanning from 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2024.Q4.10, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92. The vulnerability was disclosed on September 25, 2025 (Liferay Advisory).

The vulnerability is classified as CWE-401 (Missing Release of Memory after Effective Lifetime) and has received a CVSS v4.0 score of 6.9 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N. The technical issue stems from a memory leak in the headless API for StructuredContents that can be triggered through repeated API endpoint calls (NVD).

The primary impact of this vulnerability is the potential for server unavailability through denial of service attacks. When exploited, the memory leak can cause resource exhaustion on the affected server, potentially leading to system instability or complete service disruption (Liferay Advisory).

Liferay has released patches to address this vulnerability. Users are advised to upgrade to Liferay Portal version 7.4.3.120 or Liferay DXP versions 2024.Q1.6 or 2024.Q2.0, which contain the necessary fixes (Liferay Advisory).