CVE-2025-62260: 
Liferay Portal Analisi e mitigazione delle vulnerabilità

CVE-2025-62260 is a vulnerability affecting Liferay Portal and Liferay DXP platforms. The vulnerability was discovered and disclosed on October 27, 2025, affecting multiple versions including Liferay Portal 7.4.0 through 7.4.3.99, Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions (Liferay Advisory).

The vulnerability stems from the Headless API's failure to implement proper pagination limits on object returns. It has been assigned a CVSS v4.0 score of 7.1 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N. This indicates that the vulnerability requires low attack complexity and can be exploited remotely with low privileges required (Liferay Advisory).

The vulnerability allows remote attackers to perform denial-of-service (DoS) attacks on the application by executing requests that return a large number of objects. This can potentially impact the availability of the affected systems (Liferay Advisory).

Fixed versions have been released to address this vulnerability. Organizations should upgrade to Liferay Portal 7.4.3.100, Liferay DXP 2024.Q1.1, Liferay DXP 2023.Q4.0, Liferay DXP 2023.Q3.5, or Liferay DXP 7.3 U36 (Liferay Advisory).