CVE-2025-43736

Name of the Vulnerable Software and Affected Versions: Liferay Portal versions 7.4.3.0 through 7.4.3.132 Liferay DXP versions 2025.Q1.0 through 2025.Q1.8 Liferay DXP versions 2024.Q4.0 through 2024.Q4.7 Liferay DXP versions 2024.Q3.0 through 2024.Q3.13 Liferay DXP versions 2024.Q2.0 through 2024.Q2.13 Liferay DXP versions 2024.Q1.1 through 2024.Q1.16 Liferay Portal versions 7.4 GA through update 92

Description: A Denial Of Service via File Upload (DOS) vulnerability exists due to the ability to upload profile pictures exceeding the maximum allowed size of 300kb. Uploading files larger than this limit can cause performance degradation in Liferay Portal and DXP.

Recommendations: Liferay Portal versions 7.4.3.0 through 7.4.3.132: Limit profile picture uploads to a maximum size of 300kb. Liferay DXP versions 2025.Q1.0 through 2025.Q1.8: Limit profile picture uploads to a maximum size of 300kb. Liferay DXP versions 2024.Q4.0 through 2024.Q4.7: Limit profile picture uploads to a maximum size of 300kb. Liferay DXP versions 2024.Q3.0 through 2024.Q3.13: Limit profile picture uploads to a maximum size of 300kb. Liferay DXP versions 2024.Q2.0 through 2024.Q2.13: Limit profile picture uploads to a maximum size of 300kb. Liferay DXP versions 2024.Q1.1 through 2024.Q1.16: Limit profile picture uploads to a maximum size of 300kb. Liferay Portal versions 7.4 GA through update 92: Limit profile picture uploads to a maximum size of 300kb.