CVE-2025-62254

CWE-22 — Path Traversal4 documents4 sources

Severity

6.9MEDIUM

EPSS

0.2%

top 54.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay DXP Liferay Portal Liferay Liferay Portal +1 more

Timeline

PublishedOct 23

Latest updateOct 24

Description

The ComboServlet in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not limit the number or size of the files it will combine, which allows remote attackers to create very large responses that lead to a denial of service attack via the URL query string.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected Packages5 packages

▶Mavencom.liferay.portal:com.liferay.portal.impl< 97.0.0

▶CVEListV5liferay/portal7.4.0 — 7.4.3.111

▶NVDliferay/liferay_portal7.4.0 — 7.4.3.111

▶CVEListV5liferay/dxp7.3.10 — 7.3.10-u35+3

▶NVDliferay/digital_experience_platform10 versions+9

🔴Vulnerability Details

GHSA

Liferay Portal ComboServlet denial of service via large file combination↗2025-10-24

▶

OSV

Liferay Portal ComboServlet denial of service via large file combination↗2025-10-24

▶

CVEList

CVE-2025-62254: The ComboServlet in Liferay Portal 7↗2025-10-23

▶