Vulnerability DatabaseCVE-2025-43816

CVE-2025-43816:
Java vulnerability analysis and mitigation

Overview

A memory leak vulnerability has been identified in the headless API for StructuredContents in Liferay Portal and Liferay DXP. The vulnerability affects Liferay Portal versions 7.4.0 through 7.4.3.119 and older unsupported versions, as well as Liferay DXP versions spanning from 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2024.Q4.10, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92. The vulnerability was disclosed on September 25, 2025 (Liferay Advisory).

Technical details

The vulnerability has been assigned a CVSS v4.0 score of 6.9 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N. The issue is classified as CWE-401 (Missing Release of Memory after Effective Lifetime) (NVD).

Impact

When exploited, this vulnerability allows an attacker to cause server unavailability through a denial of service condition by repeatedly calling the affected API endpoint (Liferay Advisory).

Mitigation and workarounds

The vulnerability has been patched in Liferay Portal version 7.4.3.120 and Liferay DXP versions 2024.Q1.6 and 2024.Q2.0. Organizations are advised to upgrade to these fixed versions as soon as possible (Liferay Advisory).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a Wiz customer? See which CVEs are exploitable in your environment.

Get a CVE Assessment

6.9

Score

Published September 25, 2025

Severity MEDIUM

CNA Score 6.9

Affected Technologies

Java
Liferay Portal

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 12.4

Exploitation Probability (EPSS) N/A

Affected packages and libraries

com.liferay:com.liferay.portal.vulcan.impl
cpe:2.3:a:liferay:liferay_portal

Sources

NVD
GitHub Advisory Database
- Maven Severity MEDIUMHas FixAdded at: Sep 28, 2025
VulnCheck NVD++
- Linux Has FixAdded at: Sep 28, 2025
- Windows Has FixAdded at: Sep 28, 2025

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related Java vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-48392	HIGH	7.5	Java	org.apache.iotdb:iotdb-core	No	Yes	Sep 24, 2025
CVE-2025-43816	MEDIUM	6.9	Java	com.liferay:com.liferay.portal.vulcan.impl	No	Yes	Sep 25, 2025
CVE-2025-56769	MEDIUM	6.5	Java	cn.hutool:hutool-extra	No	Yes	Sep 25, 2025
CVE-2025-48459	MEDIUM	5.3	Java	org.apache.iotdb:iotdb-confignode	No	Yes	Sep 24, 2025
CVE-2025-58457	MEDIUM	4.3	Java	cpe:2.3:a:apache:zookeeper	No	Yes	Sep 24, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2025-43816: Java vulnerability analysis and mitigation