CVE-2025-43772

Summary

Kaleo Forms Admin in Liferay Portal 7.0.0 through 7.4.3.4, and Liferay DXP 7.4 GA, 7.3 GA through update 27, and older unsupported versions does not restrict the saving of request parameters in the portlet session, which allows remote attackers to consume system memory leading to denial-of-service (DoS) conditions via crafted HTTP request.

Affected Software

VendorProductVersion RangeStatus
LiferayPortal7.0.0 <= 7.4.3.5affected
LiferayDXP6.2.0 <= portal-173affected
LiferayDXP7.0.10 <= de-102affected
LiferayDXP7.1.10 <= dxp-28affected
LiferayDXP7.2.10 <= dxp-20affected
LiferayDXP7.3.10 <= 7.3.10-u27affected
LiferayDXP7.4.13 <= 7.4.13-u1affected

Weaknesses

  • CWE-400: CWE-400 Uncontrolled Resource Consumption

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References