CVE-2025-43772 Overview
CVE-2025-43772 is a denial-of-service vulnerability in the Kaleo Forms Admin component of Liferay Portal and Liferay DXP. The flaw affects Liferay Portal versions 7.0.0 through 7.4.3.4, Liferay DXP 7.4 GA, 7.3 GA through update 27, and older unsupported releases. The component fails to restrict the saving of HTTP request parameters in the portlet session. Authenticated remote attackers can submit crafted HTTP requests that accumulate parameters in memory until system resources are exhausted. The weakness is tracked as CWE-400 (Uncontrolled Resource Consumption).
Critical Impact
An authenticated attacker can exhaust JVM heap memory in Liferay Portal or DXP, producing denial-of-service conditions that disrupt portal availability for all users.
Affected Products
- Liferay Portal 7.0.0 through 7.4.3.4
- Liferay DXP 7.4 GA
- Liferay DXP 7.3 GA through update 27 and older unsupported versions
Discovery Timeline
- 2025-09-04 - CVE-2025-43772 published to the National Vulnerability Database
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-43772
Vulnerability Analysis
The vulnerability resides in the Kaleo Forms Admin portlet, which manages workflow form definitions in Liferay. The portlet persists incoming HTTP request parameters into the portlet session without enforcing limits on parameter count or cumulative size. Each crafted request adds entries that the JVM retains for the duration of the session. An authenticated attacker can iteratively send requests with large or numerous parameters, forcing memory growth until the heap is exhausted. The result is service degradation, garbage collection thrashing, or process termination with OutOfMemoryError. The exploit prediction scoring system records an EPSS probability of 0.569% for this issue.
Root Cause
The root cause is missing input bounds enforcement on session-stored data. Kaleo Forms Admin treats request parameters as session-scoped state without applying ceilings on size, count, or retention. This pattern matches CWE-400, where uncontrolled resource allocation allows an attacker to consume disproportionate server resources through a low-cost request.
Attack Vector
Exploitation requires network access and a low-privileged authenticated account on the Liferay instance. The attacker issues crafted HTTP POST or GET requests to the Kaleo Forms Admin endpoint. Each request includes parameters engineered to maximize memory footprint when serialized into the portlet session. Repeated submissions drive heap usage upward until the application server can no longer serve requests, satisfying the denial-of-service objective without requiring code execution or privilege escalation.
No public proof-of-concept exploit code is available. For technical details, see the Liferay Known Vulnerabilities advisory for CVE-2025-43772.
Detection Methods for CVE-2025-43772
Indicators of Compromise
- Repeated authenticated HTTP requests targeting Kaleo Forms Admin portlet URLs containing unusually large parameter payloads or high parameter counts.
- Sustained JVM heap growth on Liferay nodes correlated with portlet session size increases.
- Application server logs reporting java.lang.OutOfMemoryError or aggressive garbage collection cycles tied to portal worker threads.
Detection Strategies
- Inspect web access logs for repeated POST requests to Kaleo Forms Admin endpoints from the same authenticated session identifier.
- Correlate session memory metrics with request volume to identify accounts driving abnormal session growth.
- Alert on HTTP requests where parameter count or aggregate body size exceeds an established baseline for portal traffic.
Monitoring Recommendations
- Enable portlet session size monitoring and export JVM heap metrics to a centralized observability platform.
- Track authenticated user request rates against Kaleo Forms Admin endpoints and flag anomalies.
- Configure web application firewall logging to capture request bodies that exceed expected sizes for forms administration traffic.
How to Mitigate CVE-2025-43772
Immediate Actions Required
- Apply the security fix referenced in the Liferay Known Vulnerabilities advisory for CVE-2025-43772.
- Restrict access to Kaleo Forms Admin to trusted administrative users and remove the role from general portal accounts.
- Audit existing accounts with Kaleo Forms permissions and revoke unnecessary access.
Patch Information
Liferay publishes fixes through its security portal. Customers on Liferay DXP should obtain the corresponding fix pack or service pack from the customer portal. Liferay Portal Community Edition users should upgrade to a release version that addresses the issue, as outlined in the vendor advisory. Versions earlier than Liferay DXP 7.3 are unsupported and require migration to a supported release.
Workarounds
- Place a reverse proxy or web application firewall in front of Liferay and enforce limits on request parameter count and body size for /group/control_panel and Kaleo Forms Admin URLs.
- Reduce JVM session timeout values so unused sessions and their accumulated parameters are released sooner.
- Disable the Kaleo Forms Admin portlet in environments where workflow forms administration is not required.
# Example reverse proxy limit (NGINX) for Liferay forms admin endpoints
client_max_body_size 1m;
limit_req_zone $binary_remote_addr zone=liferay_forms:10m rate=10r/m;
location ~* /group/control_panel/manage {
limit_req zone=liferay_forms burst=5 nodelay;
proxy_pass http://liferay_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
