プラットフォーム
java
コンポーネント
com.liferay.portal:com.liferay.portal.impl
修正版
7.4.4
7.3.11
7.4.14
2023.0.1
2023.0.1
97.0.0
CVE-2025-62254 describes a Denial of Service (DoS) vulnerability discovered in Liferay Portal and Liferay DXP. This flaw resides within the ComboServlet component, allowing remote attackers to induce a denial of service by manipulating the URL query string to generate extremely large responses. Affected versions include Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, as well as Liferay DXP 2023.Q4.0 through 2023.Q4.2. A fix is available in version 97.0.0.
The vulnerability allows an attacker to exhaust server resources by requesting the ComboServlet to combine a large number of files or files of significant size. This can lead to a complete denial of service, rendering the Liferay Portal instance unavailable to legitimate users. The impact extends beyond simple service disruption; prolonged DoS attacks can impact business operations, damage reputation, and potentially lead to financial losses. The ability to trigger this DoS remotely via a simple URL request makes it particularly concerning, as it requires minimal attacker effort and can be easily automated.
This CVE was published on 2025-10-24. There is currently no public proof-of-concept (PoC) code available. The EPSS score is pending evaluation. While no active exploitation campaigns have been confirmed, the ease of triggering the vulnerability via a simple URL request suggests a potential for opportunistic attacks.
Organizations running Liferay Portal or Liferay DXP in production environments are at risk. Specifically, deployments using older, unsupported versions or those that have not applied recent updates are particularly vulnerable. Shared hosting environments where multiple tenants share the same Liferay instance may also be affected, as an attacker could potentially exploit the vulnerability to impact other tenants.
• linux / server: Monitor Liferay Portal logs for unusual activity related to the ComboServlet. Look for requests with extremely long URLs or large file sizes. Use journalctl -u liferay to filter for relevant log entries.
journalctl -u liferay | grep "ComboServlet" | grep -i "large file"• generic web: Use curl to test the ComboServlet endpoint with a crafted URL containing a large number of files or a very large file. Monitor server resource usage (CPU, memory) during the test.
curl 'http://your-liferay-portal/alfresco/service/api/combo?client=portal&c=combo&comboType=file&file=file1.txt,file2.txt,file3.txt,...' -vdisclosure
エクスプロイト状況
EPSS
0.20% (42% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation is to upgrade to Liferay Portal version 97.0.0 or later, which includes the fix for this vulnerability. If immediate upgrading is not feasible, consider implementing temporary workarounds. These may include rate limiting requests to the ComboServlet, restricting the maximum size of combined files, or implementing a Web Application Firewall (WAF) rule to block requests with excessively long query strings. Monitor server resource utilization closely for any signs of unusual activity. After upgrading, confirm the fix by attempting to trigger the vulnerability with a crafted URL and verifying that the server does not experience a denial of service.
Actualice Liferay Portal a una versión posterior a 7.4.3.111 o a la última versión disponible de Liferay DXP. Esto corregirá la vulnerabilidad de denegación de servicio en el ComboServlet.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-62254 is a denial-of-service vulnerability in Liferay Portal 7.4 and DXP, allowing attackers to exhaust server resources via crafted URL requests to the ComboServlet.
You are affected if you are running Liferay Portal versions ≤96.0.0 or Liferay DXP versions 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions.
Upgrade to Liferay Portal version 97.0.0 or later. As a temporary workaround, implement rate limiting or WAF rules to restrict requests to the ComboServlet.
No active exploitation campaigns have been confirmed, but the ease of exploitation suggests a potential for opportunistic attacks.
Refer to the official Liferay security advisory for CVE-2025-62254 on the Liferay website (link to be added when available).
pom.xml ファイルをアップロードすると、影響の有無を即座にお知らせします。