CVE-2025-43764 — Regex Denial of Service in Digital Experience Platform

CWE-1333 — Regex Denial of Service4 documents4 sources

Severity

6.9MEDIUMNVD

EPSS

0.1%

top 72.92%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Digital Experience Platform Liferay Portal Liferay DXP +1 more

Timeline

PublishedAug 23

Description

Self-ReDoS (Regular expression Denial of Service) exists with Role Name search field of Kaleo Designer portlet JavaScript in Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.1, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.20 and 7.4 GA through update 92, which allows authenticated users with permissions to update Kaleo Workflows to enter a malicious Regex pattern causing their browser to hang for a very long time.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:H/SC:L/SI:L/SA:N

Affected Packages4 packages

▶NVDliferay/liferay_portal7.4.0 — 7.4.3.132

▶CVEListV5liferay/portal7.4.3.0 — 7.4.3.131

▶NVDliferay/digital_experience_platform2024.Q4.0 — 2024.Q4.2+4

▶CVEListV5liferay/dxp7.4.13 — 7.4.13-u92+4

🔴Vulnerability Details

CVEList

CVE-2025-43764: Self-ReDoS (Regular expression Denial of Service) exists with Role Name search field of Kaleo Designer portlet JavaScript in Liferay Portal 7↗2025-08-23

▶

OSV

Liferay Portal ReDoS with Role Name search in KaleoDesignerPortlet↗2025-08-23

▶

GHSA

Liferay Portal ReDoS with Role Name search in KaleoDesignerPortlet↗2025-08-23

▶