CVE-2025-43816

HIGH

Liferay Digital Experience Platform - Memory Leak in StructuredContents Headless API

Title source: llm

Description

A memory leak in the headless API for StructuredContents in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2024.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows an attacker to cause server unavailability (denial of service) via repeatedly calling the API endpoint.

References (1)

Core 1

Core References

Vendor Advisory

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43816

Scores

CVSS v3 7.5

EPSS 0.0031

EPSS Percentile 21.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-401

Status published

Products (2)

com.liferay/com.liferay.portal.vulcan.impl 0 - 5.0.115Maven

liferay/digital_experience_platform 7.4 (49 CPE variants)

Published Sep 25, 2025

Tracked Since Feb 18, 2026