CVE-2025-4604: 
Java vulnerability analysis and mitigation

CVE-2025-4604 is a CAPTCHA bypass vulnerability discovered in Liferay Portal and Liferay DXP that allows attackers to execute scripts in the Gogo shell. The vulnerability was disclosed on August 4, 2025, affecting multiple versions of Liferay Portal (7.4.3.80 through 7.4.3.132) and Liferay DXP versions spanning from 2024.Q1.1 through 2025.Q1.15, as well as DXP 7.4 updates 80 through 92 (Liferay Advisory).

The vulnerability allows attackers to bypass the Captcha verification mechanism, potentially leading to unauthorized script execution in the Gogo shell. The vulnerability has been assigned a CVSS v4.0 score of 6.9 (Medium) with the vector string CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-site Scripting) (NVD).

The vulnerability can lead to unauthorized access to the Gogo shell, potentially allowing attackers to execute scripts with elevated privileges. This could result in high system confidentiality impact and low system integrity impact (Liferay Advisory).

The vulnerability has been fixed in Liferay Portal's master branch and Liferay DXP version 2025.Q2.0. Organizations using affected versions should upgrade to the fixed versions to mitigate the vulnerability (Liferay Advisory).