Volerion logoVolerion
Volerion logoVolerion

Liferay Portal and DXP Self-ReDoS Vulnerability in Kaleo Designer Portlet

Vulnerability

A self-induced regular expression denial-of-service vulnerability has been identified in the Kaleo Designer portlet of Liferay Portal and Liferay DXP. This issue affects authenticated users with permissions to update Kaleo Workflows, allowing them to input a malicious regular expression that can cause their browser to become unresponsive for an extended period. The vulnerability is present in Liferay Portal versions 7.4.0 through 7.4.3.131, as well as in Liferay DXP versions 2024.Q4.0 through 2024.Q4.1, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.20, and 7.4 GA through update 92.

Impact

Exploitation of this vulnerability leads to a regular expression denial-of-service condition, causing browsers to hang for a prolonged duration.

Remediation

Users can upgrade to Liferay Portal 7.4.3.132, Liferay DXP 2024.Q4.2, or Liferay DXP 2025.Q1.0 to address this vulnerability.

Added: Aug 23, 2025, 5:24 AM
Updated: Aug 23, 2025, 5:24 AM

Vulnerability Rating

Custom Algorithm
spread
3.1
impact
2.5
exploitability
4.3
remediation
7.7
relevance
0.4
threat
0.0
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.