Fluid Attacks Database

Description

Liferay Portal and Liferay DXP have a Denial Of Service via File Upload (DOS) vulnerability A Denial Of Service via File Upload (DOS) vulnerability in Liferay Portal 7.4.3.0 through 7.4.3.132, Liferay DXP 2025.Q1.0 through 2025.Q1.8, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 allows a user to upload a profile picture of more than 300kb into a user profile. This size is more than the noted max 300kb size. This extra data can significantly slow down the Liferay service.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	com.liferay.portal:release.portal.bom	>=7.4.3.0 <=7.4.3.132	-
maven	com.liferay.portal:release.dxp.bom	>=2025.q1.0 <2025.q1.9 \|\| >=2024.q4.0 <=2024.q4.7 \|\| >=2024.q3.0 <=2024.q3.13 \|\| >=2024.q2.0 <=2024.q2.13 \|\| >=2024.q1.0 <2024.q1.17 \|\| >=0 <=7.4.13.u92	2025.q1.9, 2024.q1.17
maven	com.liferay:com.liferay.frontend.taglib	>=0 <13.10.0	13.10.0
maven	com.liferay:com.liferay.users.admin.web	>=0 <11.0.27	11.0.27
maven	com.liferay:com.liferay.image.uploader.web	>=0 <5.0.56	5.0.56
maven	com.liferay:com.liferay.account.admin.web	>=0 <2.0.138	2.0.138

Aliases

1. CVE-2025-437362. NVD-2025-437363. OSV-2025-437364. GCVE-2025-43736

References

1. https://github.com/liferay/liferay-portal/commit/ab8932bee29df7df377c468f662d55e624d9390d2. https://liferay.atlassian.net/browse/LPE-182203. https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43736

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.