Denial of Service Vulnerability in Liferay Portal Products
CVE-2025-62254

6.9MEDIUM

Key Information:

Vendor: Liferay
Status: Portal; Dxp
Vendor: CVE Published:; 23 October 2025

What is CVE-2025-62254?

A vulnerability exists within the ComboServlet of Liferay Portal versions 7.4.0 to 7.4.3.111, and older unsupported versions, as well as Liferay DXP across several 2023 quarterly updates. This flaw allows remote attackers to bypass file size and quantity limits when combining files through URL query strings. Consequently, this can lead to significant disruptions, including denial of service attacks as the server may be overwhelmed by large response sizes.

Affected Version(s)

DXP 7.3.10 <= 7.3.10-u35

DXP 7.4.13 <= 7.4.13-u92

DXP 2023.Q3.1 <= 2023.Q3.5

References

https://liferay.dev/portal/security/known-vulnerabilities...

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 23, 2025
Vulnerability Reserved
Oct 9, 2025

JSON