CVE-2025-43816

HIGH

Liferay Digital Experience Platform < 7.4 - Memory Leak

Title source: rule

Description

A memory leak in the headless API for StructuredContents in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2024.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows an attacker to cause server unavailability (denial of service) via repeatedly calling the API endpoint.

References (1)

[Vendor Advisory] https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43816

Scores

CVSS v3 7.5

EPSS 0.0012

EPSS Percentile 30.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-401

Status published

Products (2)

com.liferay/com.liferay.portal.vulcan.impl 0 - 5.0.115Maven

liferay/digital_experience_platform 7.4 (49 CPE variants)

Published Sep 25, 2025

Tracked Since Feb 18, 2026