CVE-2025-62258: 
Java Análise e mitigação de vulnerabilidades

CVE-2025-62258 is a Cross-Site Request Forgery (CSRF) vulnerability discovered in the Headless API of Liferay Portal and Liferay DXP. The vulnerability was publicly disclosed on October 27, 2025, affecting multiple versions of Liferay products including Liferay Portal 7.4.0 through 7.4.3.107, Liferay DXP 2023.Q3.1 through 2023.Q3.4, Liferay DXP 7.4, and Liferay DXP 7.3 GA through U35 (Liferay Security).

The vulnerability allows remote attackers to execute any Headless API via the 'endpoint' parameter. The severity of this vulnerability has been rated at 7.0 under CVSS v4.0 with the following vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N (Liferay Security).

The vulnerability can lead to high impacts on both confidentiality and integrity of the affected systems, though availability is not impacted. The CVSS scoring indicates that while the vulnerability requires user interaction, it can be exploited remotely without requiring privileges (Liferay Security).

The vulnerability has been fixed in multiple versions including Liferay Portal 7.4.3.108, Liferay DXP 2024.Q1.1, Liferay DXP 2023.Q4.1, Liferay DXP 2023.Q3.5, and Liferay DXP 7.3 U36. Users are advised to upgrade to these fixed versions to mitigate the vulnerability (Liferay Security).