CVE-2025-43816 Overview
A memory leak vulnerability has been identified in the headless API for StructuredContents in Liferay Portal and Liferay Digital Experience Platform (DXP). This vulnerability affects multiple versions of both products and allows unauthenticated attackers to cause server unavailability through denial of service attacks by repeatedly calling the affected API endpoint.
The vulnerability stems from improper memory management (CWE-401: Missing Release of Memory after Effective Lifetime) within the StructuredContents headless API implementation. When the API endpoint is called repeatedly, memory is allocated but not properly released, leading to progressive memory exhaustion that can ultimately cause the server to become unresponsive.
Critical Impact
Attackers can cause complete server unavailability by exhausting system memory through repeated API calls, resulting in denial of service for all users of the affected Liferay Portal or DXP instances.
Affected Products
- Liferay Portal versions 7.4.0 through 7.4.3.119 (and older unsupported versions)
- Liferay DXP versions 2024.Q1.1 through 2024.Q1.5
- Liferay DXP versions 2023.Q4.0 through 2024.Q4.10
- Liferay DXP versions 2023.Q3.1 through 2023.Q3.10
- Liferay DXP 7.4 GA through update 92 (and older unsupported versions)
Discovery Timeline
- September 25, 2025 - CVE-2025-43816 published to NVD
- December 15, 2025 - Last updated in NVD database
Technical Details for CVE-2025-43816
Vulnerability Analysis
This vulnerability represents a classic memory leak pattern where the StructuredContents headless API fails to properly deallocate memory resources after processing requests. In Java-based platforms like Liferay, memory leaks typically occur when objects are created and stored in collections or caches without proper cleanup mechanisms, preventing the garbage collector from reclaiming the memory.
The headless API for StructuredContents handles content retrieval and manipulation through REST endpoints. When processing requests, the API creates objects to hold structured content data. The vulnerability arises because these objects are not properly dereferenced or removed from internal data structures after the request completes, causing memory to accumulate with each subsequent API call.
The attack is particularly effective because it requires no authentication and can be automated easily. An attacker can write a simple script to call the StructuredContents API endpoint in a loop, gradually consuming server memory until the JVM runs out of heap space or the operating system runs out of available memory.
Root Cause
The root cause is improper memory management in the StructuredContents headless API implementation (CWE-401: Missing Release of Memory after Effective Lifetime). Objects created during API request processing are retained beyond their useful lifetime, either through lingering references in collections, improper cache management, or missing cleanup routines in the request processing lifecycle. This prevents the Java garbage collector from reclaiming the memory, leading to progressive memory exhaustion.
Attack Vector
The attack vector is network-based and requires no authentication. An attacker can exploit this vulnerability by sending repeated HTTP requests to the StructuredContents headless API endpoint. The attack flow involves identifying the target Liferay instance, locating the StructuredContents API endpoint (typically at /o/headless-delivery/v1.0/structured-contents or similar paths), and then automating requests to this endpoint. Each request causes a small amount of memory to be leaked, and over time, the cumulative effect exhausts server resources.
The vulnerability affects availability rather than confidentiality or integrity, as the attacker cannot access or modify data through this attack—only disrupt service availability. The attack requires user interaction in the sense that the malicious requests must be processed by the server, but no victim user action is needed beyond the normal operation of the server accepting API requests.
Detection Methods for CVE-2025-43816
Indicators of Compromise
- Steadily increasing JVM heap memory usage without corresponding increases in legitimate workload
- Frequent garbage collection cycles with minimal memory reclamation
- OutOfMemoryError exceptions in Liferay server logs
- Unusually high request rates to the /o/headless-delivery/ API endpoints from single sources
Detection Strategies
- Monitor server memory metrics for sustained upward trends in heap utilization
- Implement request rate limiting and anomaly detection on API endpoints
- Configure JMX monitoring to track memory pool utilization and garbage collection statistics
- Review access logs for patterns of repeated requests to StructuredContents API endpoints
Monitoring Recommendations
- Set up alerts for JVM heap usage exceeding 80% capacity with sustained duration
- Enable verbose garbage collection logging to identify memory reclamation failures
- Implement application performance monitoring (APM) to track memory allocation patterns in the headless API module
- Monitor HTTP request patterns for unusually high volumes targeting specific API endpoints
How to Mitigate CVE-2025-43816
Immediate Actions Required
- Upgrade to patched versions of Liferay Portal or Liferay DXP as specified in the vendor advisory
- Implement rate limiting on the StructuredContents headless API endpoints
- Configure web application firewall (WAF) rules to block excessive requests to API endpoints
- Increase monitoring of server memory utilization and set up automated alerts
Patch Information
Liferay has addressed this vulnerability in updated releases. Organizations should consult the Liferay Security Advisory for CVE-2025-43816 for specific version information and upgrade instructions. The following versions should be upgraded:
- Liferay Portal: Upgrade from versions 7.4.0 through 7.4.3.119 to the latest patched release
- Liferay DXP 2024.Q1: Upgrade from versions 2024.Q1.1-2024.Q1.5 to the latest quarterly update
- Liferay DXP 2023.Q4/2024.Q4: Upgrade from versions 2023.Q4.0-2024.Q4.10 to the latest patched release
- Liferay DXP 2023.Q3: Upgrade from versions 2023.Q3.1-2023.Q3.10 to the latest patched release
- Liferay DXP 7.4: Upgrade from GA through update 92 to update 93 or later
Workarounds
- Implement API rate limiting at the reverse proxy or load balancer level to restrict request frequency
- Temporarily disable or restrict access to the StructuredContents headless API if not required for business operations
- Configure JVM heap limits and automatic restart policies to minimize downtime in case of memory exhaustion
- Deploy network-level controls to limit API access to trusted IP ranges only
# Example: Configure nginx rate limiting for Liferay API endpoints
# Add to nginx.conf or site configuration
limit_req_zone $binary_remote_addr zone=liferay_api:10m rate=10r/s;
location /o/headless-delivery/ {
limit_req zone=liferay_api burst=20 nodelay;
proxy_pass http://liferay_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
