High severityGHSA Advisory· Published Sep 4, 2025· Updated Apr 15, 2026
CVE-2025-43772
CVE-2025-43772
Description
Kaleo Forms Admin in Liferay Portal 7.0.0 through 7.4.3.4, and Liferay DXP 7.4 GA, 7.3 GA through update 27, and older unsupported versions does not restrict the saving of request parameters in the portlet session, which allows remote attackers to consume system memory leading to denial-of-service (DoS) conditions via crafted HTTP request.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay:com.liferay.portal.workflow.kaleo.forms.webMaven | < 5.0.29 | 5.0.29 |
Affected products
1- Range: < 5.0.29
Patches
2566ba7b48d6eLPS-144248 make the list once
1 file changed · +18 −25
modules/dxp/apps/portal-workflow/portal-workflow-kaleo-forms-web/src/main/java/com/liferay/portal/workflow/kaleo/forms/web/internal/portlet/KaleoFormsAdminPortlet.java+18 −25 modified@@ -69,8 +69,6 @@ import java.io.IOException; -import java.util.ArrayList; -import java.util.Arrays; import java.util.List; import java.util.Locale; import java.util.Map; @@ -128,6 +126,21 @@ ) public class KaleoFormsAdminPortlet extends MVCPortlet { + public KaleoFormsAdminPortlet() { + _parameterNames = ListUtil.fromArray( + "backURL", "ddmStructureId", "ddmStructureName", "ddmTemplateId", + "historyKey", "kaleoProcessId", "kaleoTaskFormPairsData", "mvcPath", + "redirect", "translatedLanguagesDescription", + "translatedLanguagesName", "workflowDefinition"); + + for (Locale availableLocale : LanguageUtil.getAvailableLocales()) { + _parameterNames.add( + "description" + LocaleUtil.toLanguageId(availableLocale)); + _parameterNames.add( + "name" + LocaleUtil.toLanguageId(availableLocale)); + } + } + /** * Deletes the <code>KaleoDraftDefinition</code> (in the * <code>com.liferay.portal.workflow.kaleo.designer.api</code> module) by @@ -391,10 +404,7 @@ protected void saveInPortletSession( PortletSession portletSession = resourceRequest.getPortletSession(); - for (String parameterName : - ListUtil.concat( - _getLocalizedParameterNames(), _parameterNames)) { - + for (String parameterName : _parameterNames) { if (!parameterMap.containsKey(parameterName)) { continue; } @@ -524,28 +534,9 @@ protected void setDisplayContext( @Reference protected StorageEngine storageEngine; - private List<String> _getLocalizedParameterNames() { - List<String> localizedParameters = new ArrayList<>(); - - for (Locale availableLocale : LanguageUtil.getAvailableLocales()) { - localizedParameters.add( - "description" + LocaleUtil.toLanguageId(availableLocale)); - localizedParameters.add( - "name" + LocaleUtil.toLanguageId(availableLocale)); - } - - return localizedParameters; - } - private static final Log _log = LogFactoryUtil.getLog( KaleoFormsAdminPortlet.class); - private static final List<String> _parameterNames = Arrays.asList( - "backURL", "ddmStructureId", "ddmStructureName", "ddmTemplateId", - "historyKey", "kaleoProcessId", "kaleoTaskFormPairsData", "mvcPath", - "redirect", "translatedLanguagesDescription", "translatedLanguagesName", - "workflowDefinition"); - @Reference private DDLExporterFactory _ddlExporterFactory; @@ -567,6 +558,8 @@ private List<String> _getLocalizedParameterNames() { @Reference private KaleoProcessService _kaleoProcessService; + private final List<String> _parameterNames; + @Reference private WorkflowInstanceLinkLocalService _workflowInstanceLinkLocalService;
5d62db9d0100LPS-144248 Avoid DoS attack
1 file changed · +37 −13
modules/dxp/apps/portal-workflow/portal-workflow-kaleo-forms-web/src/main/java/com/liferay/portal/workflow/kaleo/forms/web/internal/portlet/KaleoFormsAdminPortlet.java+37 −13 modified@@ -29,6 +29,7 @@ import com.liferay.portal.configuration.metatype.bnd.util.ConfigurableUtil; import com.liferay.portal.kernel.json.JSONFactoryUtil; import com.liferay.portal.kernel.json.JSONObject; +import com.liferay.portal.kernel.language.LanguageUtil; import com.liferay.portal.kernel.log.Log; import com.liferay.portal.kernel.log.LogFactoryUtil; import com.liferay.portal.kernel.model.WorkflowInstanceLink; @@ -40,6 +41,8 @@ import com.liferay.portal.kernel.service.WorkflowInstanceLinkLocalService; import com.liferay.portal.kernel.servlet.SessionErrors; import com.liferay.portal.kernel.theme.ThemeDisplay; +import com.liferay.portal.kernel.util.ListUtil; +import com.liferay.portal.kernel.util.LocaleUtil; import com.liferay.portal.kernel.util.MimeTypesUtil; import com.liferay.portal.kernel.util.ParamUtil; import com.liferay.portal.kernel.util.Validator; @@ -66,7 +69,10 @@ import java.io.IOException; -import java.util.Enumeration; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.List; +import java.util.Locale; import java.util.Map; import java.util.Objects; @@ -377,26 +383,25 @@ protected void saveInPortletSession( * * @param resourceRequest the resource request * @param resourceResponse the resource response - * @throws Exception if an exception occurred */ protected void saveInPortletSession( - ResourceRequest resourceRequest, ResourceResponse resourceResponse) - throws Exception { + ResourceRequest resourceRequest, ResourceResponse resourceResponse) { - Enumeration<String> enumeration = resourceRequest.getParameterNames(); + Map<String, String[]> parameterMap = resourceRequest.getParameterMap(); - while (enumeration.hasMoreElements()) { - String name = enumeration.nextElement(); + PortletSession portletSession = resourceRequest.getPortletSession(); - if (Objects.equals(name, "doAsUserId")) { + for (String parameterName : + ListUtil.concat( + _getLocalizedParameterNames(), _parameterNames)) { + + if (!parameterMap.containsKey(parameterName)) { continue; } - PortletSession portletSession = resourceRequest.getPortletSession(); - - String value = ParamUtil.getString(resourceRequest, name); - - portletSession.setAttribute(name, value); + portletSession.setAttribute( + parameterName, + ParamUtil.getString(resourceRequest, parameterName)); } } @@ -519,9 +524,28 @@ protected void setDisplayContext( @Reference protected StorageEngine storageEngine; + private List<String> _getLocalizedParameterNames() { + List<String> localizedParameters = new ArrayList<>(); + + for (Locale availableLocale : LanguageUtil.getAvailableLocales()) { + localizedParameters.add( + "description" + LocaleUtil.toLanguageId(availableLocale)); + localizedParameters.add( + "name" + LocaleUtil.toLanguageId(availableLocale)); + } + + return localizedParameters; + } + private static final Log _log = LogFactoryUtil.getLog( KaleoFormsAdminPortlet.class); + private static final List<String> _parameterNames = Arrays.asList( + "backURL", "ddmStructureId", "ddmStructureName", "ddmTemplateId", + "historyKey", "kaleoProcessId", "kaleoTaskFormPairsData", "mvcPath", + "redirect", "translatedLanguagesDescription", "translatedLanguagesName", + "workflowDefinition"); + @Reference private DDLExporterFactory _ddlExporterFactory;
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-j4fw-4mhr-hc45ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-43772ghsaADVISORY
- github.com/liferay/liferay-portal/commit/566ba7b48d6e8c62e5da71c34bb56b87183bf503ghsaWEB
- github.com/liferay/liferay-portal/commit/5d62db9d01005fc148297dad37f84660cd8b4a2bghsaWEB
- liferay.atlassian.net/browse/LPE-17456ghsaWEB
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43772nvdWEB
News mentions
0No linked articles in our index yet.