Plattform
java
Komponente
com.liferay.portal:com.liferay.portal.impl
Behoben in
7.4.4
7.3.11
7.4.14
2023.0.1
2023.0.1
97.0.0
CVE-2025-62254 describes a Denial of Service (DoS) vulnerability discovered in Liferay Portal and Liferay DXP. This flaw resides within the ComboServlet component, allowing remote attackers to induce a denial of service by manipulating the URL query string to generate extremely large responses. Affected versions include Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, as well as Liferay DXP 2023.Q4.0 through 2023.Q4.2. A fix is available in version 97.0.0.
The primary impact of CVE-2025-62254 is a denial of service. A successful exploit can render the Liferay Portal or DXP instance unresponsive, preventing legitimate users from accessing the platform. The attacker can achieve this by manipulating the URL query string to request an excessive number of files or files of unusually large sizes to be combined by the ComboServlet. This forces the server to expend significant resources in generating the response, potentially overwhelming it and leading to a crash or prolonged downtime. The blast radius extends to all users attempting to access the affected Liferay instance, disrupting business operations and potentially impacting critical services.
This vulnerability is currently not listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, but the vulnerability's nature makes it relatively easy to test and potentially exploit. The attack vector is simple and requires no authentication, increasing the likelihood of opportunistic exploitation. The vulnerability was publicly disclosed on 2025-10-24.
Organizations running Liferay Portal or Liferay DXP in production environments are at risk. Specifically, deployments using older, unsupported versions or those that have not applied recent updates are particularly vulnerable. Shared hosting environments where multiple tenants share the same Liferay instance may also be affected, as an attacker could potentially exploit the vulnerability to impact other tenants.
• linux / server: Monitor Liferay Portal logs for unusual activity related to the ComboServlet. Look for requests with extremely long URLs or large file sizes. Use journalctl -u liferay to filter for relevant log entries.
journalctl -u liferay | grep "ComboServlet" | grep -i "large file"• generic web: Use curl to test the ComboServlet endpoint with a crafted URL containing a large number of files or a very large file. Monitor server resource usage (CPU, memory) during the test.
curl 'http://your-liferay-portal/alfresco/service/api/combo?client=portal&c=combo&comboType=file&file=file1.txt,file2.txt,file3.txt,...' -vdisclosure
Exploit-Status
EPSS
0.20% (42% Perzentil)
CISA SSVC
CVSS-Vektor
The recommended mitigation for CVE-2025-62254 is to upgrade to Liferay Portal 97.0.0 or later, or the corresponding fixed version of Liferay DXP. If immediate upgrading is not feasible, consider implementing temporary workarounds. These may include configuring a Web Application Firewall (WAF) to filter requests with excessively long or complex URL query strings. Additionally, adjusting the server's resource limits (e.g., maximum request size, memory allocation) might help mitigate the impact, though this is not a complete solution. Monitor ComboServlet logs for unusual activity, such as a sudden increase in requests for large files. After upgrading, confirm the fix by attempting to trigger the vulnerability with a crafted URL and verifying that the server does not crash or become unresponsive.
Actualice Liferay Portal a una versión posterior a 7.4.3.111 o a la última versión disponible de Liferay DXP. Esto corregirá la vulnerabilidad de denegación de servicio en el ComboServlet.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-62254 is a denial-of-service vulnerability in Liferay Portal 7.4 and DXP, allowing attackers to exhaust server resources via crafted URL requests to the ComboServlet.
You are affected if you are running Liferay Portal versions ≤96.0.0 or Liferay DXP versions 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions.
Upgrade to Liferay Portal version 97.0.0 or later. As a temporary workaround, implement rate limiting or WAF rules to restrict requests to the ComboServlet.
No active exploitation campaigns have been confirmed, but the ease of exploitation suggests a potential for opportunistic attacks.
Refer to the official Liferay security advisory for CVE-2025-62254 on the Liferay website (link to be added when available).
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.