CVE-2025-43764

Self-ReDoS (Regular expression Denial of Service) exists with Role Name search field of Kaleo Designer portlet JavaScript in Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.1, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.20 and 7.4 GA through update 92, which allows authenticated users with permissions to update Kaleo Workflows to enter a malicious Regex pattern causing their browser to hang for a very long time.

CVSS

No CVSS.

References

Link	Resource
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43764

Configurations

No configuration.

History

25 Aug 2025, 20:24

Type	Values Removed	Values Added
Summary		(es) Existe Self-ReDoS (denegación de servicio por expresión regular) con el campo de búsqueda de nombre de rol del portlet JavaScript de Kaleo Designer en Liferay Portal 7.4.0 a 7.4.3.131, y Liferay DXP 2024.Q4.0 a 2024.Q4.1, 2024.Q3.0 a 2024.Q3.13, 2024.Q2.1 a 2024.Q2.13, 2024.Q1.1 a 2024.Q1.20 y 7.4 GA hasta la actualización 92, lo que permite que los usuarios autenticados con permisos para actualizar los flujos de trabajo de Kaleo ingresen un patrón Regex malicioso que provoca que su navegador se cuelgue durante mucho tiempo.

23 Aug 2025, 05:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-23 05:15

Updated : 2025-08-25 20:24

NVD link : CVE-2025-43764

Mitre link : CVE-2025-43764

CVE.ORG link : CVE-2025-43764

JSON object : View

Products Affected

No product.

CWE

CWE-1333

Inefficient Regular Expression Complexity

{"id": "CVE-2025-43764", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security@liferay.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:H/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-08-23T05:15:30.667", "references": [{"url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43764", "source": "security@liferay.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security@liferay.com", "description": [{"lang": "en", "value": "CWE-1333"}]}], "descriptions": [{"lang": "en", "value": "Self-ReDoS (Regular expression Denial of Service) exists with Role Name search field of Kaleo Designer portlet JavaScript in Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.1, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.20 and 7.4 GA through update 92, which allows authenticated users with permissions to update Kaleo Workflows to enter a malicious Regex pattern causing their browser to hang for a very long time."}, {"lang": "es", "value": "Existe Self-ReDoS (denegaci\u00f3n de servicio por expresi\u00f3n regular) con el campo de b\u00fasqueda de nombre de rol del portlet JavaScript de Kaleo Designer en Liferay Portal 7.4.0 a 7.4.3.131, y Liferay DXP 2024.Q4.0 a 2024.Q4.1, 2024.Q3.0 a 2024.Q3.13, 2024.Q2.1 a 2024.Q2.13, 2024.Q1.1 a 2024.Q1.20 y 7.4 GA hasta la actualizaci\u00f3n 92, lo que permite que los usuarios autenticados con permisos para actualizar los flujos de trabajo de Kaleo ingresen un patr\u00f3n Regex malicioso que provoca que su navegador se cuelgue durante mucho tiempo."}], "lastModified": "2025-08-25T20:24:45.327", "sourceIdentifier": "security@liferay.com"}