CVE-2025-43816 — Missing Release of Memory after Effective Lifetime in Digital Experience Platform

CWE-401 — Missing Release of Memory after Effective Lifetime4 documents4 sources

Severity

6.9MEDIUMNVD

EPSS

0.1%

top 69.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay Digital Experience Platform Liferay Portal Liferay DXP +1 more

Timeline

PublishedSep 25

Description

A memory leak in the headless API for StructuredContents in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2024.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows an attacker to cause server unavailability (denial of service) via repeatedly calling the API endpoint.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Packages4 packages

▶NVDliferay/liferay_portal< 7.4.3.120

▶CVEListV5liferay/portal7.4.0 — 7.4.3.119

▶NVDliferay/digital_experience_platform2024.Q1.1 — 2024.Q1.6+4

▶CVEListV5liferay/dxp7.4.13 — 7.4.13-u92+3

🔴Vulnerability Details

GHSA

Liferay Portal and DXP vulnerable to a memory leak↗2025-09-25

▶

OSV

Liferay Portal and DXP vulnerable to a memory leak↗2025-09-25

▶

CVEList

CVE-2025-43816: A memory leak in the headless API for StructuredContents in Liferay Portal 7↗2025-09-25

▶