Liferay DXP/Portal DoS via XML-RPC Loop Cond (7.4.0-7.4.3.111, 2023.Q4)
CVE-2025-43801 Published on September 16, 2025
Unchecked input for loop condition vulnerability in XML-RPC in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to perform a denial-of-service (DoS) attacks via a crafted XML-RPC request.
Weakness Type
Unchecked Input for Loop Condition
The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive looping.
Products Associated with CVE-2025-43801
stack.watch emails you whenever new vulnerabilities are published in Liferay Portal or Liferay Digital Experience Platform. Just hit a watch button to start following.
Affected Versions
Liferay Portal:- Version 7.4.0, <= 7.4.3.111 is affected.
- Version 7.3.10, <= 7.3.10-u35 is affected.
- Version 7.4.13, <= 7.4.13-u92 is affected.
- Version 2023.Q3.1, <= 2023.Q3.4 is affected.
- Version 2023.Q4.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.