CVE-2025-62254

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.3 GA through update 35 Liferay Portal versions 7.4.0 through 7.4.3.111 Liferay DXP versions 2023.Q3.1 through 2023.Q3.5 Liferay DXP versions 2023.Q4.0 through 2023.Q4.2 Liferay Portal 7.4 GA through update 92

Description The ComboServlet component does not restrict the number or size of files it combines. This allows a remote attacker to construct a specially crafted URL query string that generates excessively large responses, potentially leading to a denial-of-service (DoS) condition.

Recommendations Liferay Portal versions 7.3 GA through update 35: At the moment, there is no information about a newer version that contains a fix for this vulnerability. Liferay Portal versions 7.4.0 through 7.4.3.111: At the moment, there is no information about a newer version that contains a fix for this vulnerability. Liferay DXP versions 2023.Q3.1 through 2023.Q3.5: At the moment, there is no information about a newer version that contains a fix for this vulnerability. Liferay DXP versions 2023.Q4.0 through 2023.Q4.2: At the moment, there is no information about a newer version that contains a fix for this vulnerability. Liferay Portal 7.4 GA through update 92: At the moment, there is no information about a newer version that contains a fix for this vulnerability.