CVE-2025-43816 Memory leak when consuming the headless API for StructuredContents

Description

A memory leak in the headless API for StructuredContents in Liferay Portal and Liferay DXP allows an attacker to cause server unavailability (denial of service) via repeatedly calling the API endpoint.

Severity

6.9 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N)

Affected Version(s)

Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions
Liferay DXP 2023.Q3.1 through 2023.Q3.10
Liferay DXP 2023.Q4.0 through 2023.Q4.10
Liferay DXP 2024.Q1.1 through 2024.Q1.5
Liferay DXP 7.4 GA through update 92, and older unsupported versions

Fixed Version(s)

Liferay Portal 7.4.3.120
Liferay DXP 2024.Q1.6
Liferay DXP 2024.Q2.0

Publication date: Thu, 25 Sep 2025 08:04:00 +0000

Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.

Community

Company

Feedback

Known Vulnerabilities

Releases

Description

Severity

Affected Version(s)

Fixed Version(s)