CVE-2025-43796 — Uncontrolled Resource Consumption in Digital Experience Platform

CWE-400 — Uncontrolled Resource Consumption CWE-79 — Cross-site Scripting7 documents6 sources

Severity

7.1HIGHNVD

EPSS

0.2%

top 60.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Digital Experience Platform Liferay Portal Liferay DXP +1 more

Timeline

PublishedSep 12

Description

Liferay Portal 7.4.0 through 7.4.3.101, and Liferay DXP 2023.Q3.0 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA though update 35 does not limit the number of objects returned from a GraphQL queries, which allows remote attackers to perform denial-of-service (DoS) attacks on the application by executing queries that return a large number of objects.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Packages4 packages

▶NVDliferay/liferay_portal7.4.0 — 7.4.3.102

▶CVEListV5liferay/portal7.4.0 — 7.4.3.101

▶NVDliferay/digital_experience_platform2023.Q3.0 — 2023.Q3.5+2

▶CVEListV5liferay/dxp7.3.10 — 7.3.10-u35+2

🔴Vulnerability Details

GHSA

Liferay Portal: Missing Rate Limiting in GraphQL Endpoint Enables Resource Exhaustion Attack↗2025-09-12

▶

CVEList

CVE-2025-43796: Liferay Portal 7↗2025-09-12

▶

OSV

Liferay Portal: Missing Rate Limiting in GraphQL Endpoint Enables Resource Exhaustion Attack↗2025-09-12

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Risk Matrix: User Interface (Express.js) — CVE-2024-43796↗2025-07-15

▶

Oracle

Oracle Oracle Communications Applications Risk Matrix: User Interface (Express.js) — CVE-2024-43796↗2025-04-15

▶

Microsoft

express vulnerable to XSS via response.redirect()↗2024-09-10

▶