CVE-2025-43772

CVSS v4.0

7.1

High

Vector

AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Kaleo Forms Admin in Liferay Portal versions 7.0.0 through 7.4.3.4 Kaleo Forms Admin in Liferay DXP versions 7.3 GA through update 27 Kaleo Forms Admin in Liferay DXP version 7.4 GA Older unsupported versions

Description The application does not restrict the saving of request parameters in the portlet session. This allows remote attackers to consume system memory, potentially leading to denial-of-service (DoS) conditions via crafted HTTP requests.

Recommendations Versions prior to 7.4.3.4 are affected. Versions prior to Liferay DXP update 27 are affected. Versions prior to Liferay DXP 7.4 GA are affected. Versions prior to Liferay DXP 7.3 GA are affected.

Fix

DoS

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400

Related Identifiers

CVE-2025-43772

GHSA-J4FW-4MHR-HC45

Affected Products

Kaleo Forms Admin

Liferay Dxp

Liferay Portal

CVE-2025-43772

Weakness Enumeration

Related Identifiers

Affected Products

References · 9