CVE-2025-62260

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.3 GA through update 35 Liferay Portal versions 7.4.0 through 7.4.3.99 Liferay Portal versions 7.4 GA through update 92 Liferay DXP versions 2023.Q3.1 through 2023.Q3.4

Description The software does not limit the number of objects returned from Headless API requests. This can allow remote attackers to perform denial-of-service (DoS) attacks on the application by executing a request that returns a large number of objects. The API endpoint is susceptible to requests returning an excessive number of objects, potentially overwhelming the system.

Recommendations Update Liferay Portal to a version newer than 7.3 update 35. Update Liferay Portal to a version newer than 7.4.3.99. Update Liferay Portal to a version newer than 7.4 update 92. Update Liferay DXP to a version newer than 2023.Q3.4.