CVE-2025-43764 in Liferayinfo

Summary

by MITRE • 08/23/2025

Self-ReDoS (Regular expression Denial of Service) exists with Role Name search field of Kaleo Designer portlet JavaScript in Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.1, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.20 and 7.4 GA through update 92, which allows authenticated users with permissions to update Kaleo Workflows to enter a malicious Regex pattern causing their browser to hang for a very long time.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 12/13/2025

The vulnerability CVE-2025-43764 represents a self-replicating regular expression denial of service flaw within the Kaleo Designer portlet of Liferay Portal and Liferay DXP platforms. This issue specifically affects the role name search functionality where users can input regular expressions to filter workflow roles. The vulnerability exists in multiple versions including Liferay Portal 7.4.0 through 7.4.3.131 and various Liferay DXP releases from 2024.Q4.0 through 2024.Q4.1, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.20, along with Liferay 7.4 GA through update 92. The flaw allows authenticated users with appropriate permissions to manipulate the workflow update functionality by submitting malicious regular expression patterns that can cause browser performance degradation or complete hanging.

The technical implementation of this vulnerability stems from improper input validation and sanitization within the Kaleo Designer JavaScript code. When users enter regular expressions into the role name search field, the system processes these patterns without adequate protection against catastrophic backtracking scenarios. This type of attack exploits the inherent performance characteristics of regular expression engines where certain patterns can cause exponential execution time growth. The vulnerability specifically targets the client-side JavaScript processing within the browser environment, making it a self-replicating variant of regular expression denial of service. According to CWE-400, this maps to a weakness in resource management where the system fails to properly handle potentially malicious input that can cause resource exhaustion.

The operational impact of this vulnerability extends beyond simple performance degradation as it can effectively render the workflow management interface unusable for authenticated users. Attackers with permissions to update Kaleo Workflows can cause significant disruption by submitting carefully crafted regular expressions that will cause browser tabs to freeze or become unresponsive for extended periods. This creates a denial of service condition that affects legitimate users attempting to manage workflow processes. The vulnerability particularly impacts organizations that rely heavily on workflow automation and require frequent updates to their business processes through the Kaleo Designer interface. From an ATT&CK framework perspective, this vulnerability aligns with T1499.004 (Resource Hijacking) and T1566.001 (Phishing with Social Engineering), as it can be used to create persistent service disruptions or as part of broader attack campaigns targeting administrative interfaces.

Mitigation strategies for CVE-2025-43764 should focus on implementing proper input validation and sanitization within the Kaleo Designer portlet. Organizations should enforce strict regular expression validation that limits pattern complexity and execution time, particularly for user-provided inputs. The recommended approach includes implementing timeouts for regular expression processing, limiting the length of regex patterns, and applying automated pattern analysis to detect potentially dangerous constructs. Additionally, implementing proper rate limiting and input length restrictions on the role name search field can prevent exploitation. Security teams should also consider implementing web application firewalls with regex detection capabilities and ensure that all affected Liferay installations are updated to the latest patched versions. The vulnerability demonstrates the importance of proper input validation in client-side applications and highlights the need for comprehensive security testing of user-facing interfaces that process untrusted input. Organizations should also implement monitoring solutions to detect unusual patterns of regex usage that might indicate exploitation attempts, and establish incident response procedures to address potential service disruptions caused by such vulnerabilities.

Responsible

Liferay

Reservation

04/17/2025

Disclosure

08/23/2025

Moderation

accepted

CPE

ready

EPSS

0.00289

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!