CVE-2025-62250: 
Java vulnerability analysis and mitigation

CVE-2025-62250 is an Improper Authentication vulnerability affecting Liferay Portal versions 7.4.0 through 7.4.3.132 and older unsupported versions, as well as Liferay DXP versions 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, and 7.3 GA through update 35. The vulnerability was disclosed on October 21, 2025, and allows remote attackers to send malicious data that will be treated as trusted data via unauthenticated cluster messages (NVD, Liferay Advisory).

The vulnerability is classified as CWE-346 (Origin Validation Error) and has received a CVSS v4.0 Base Score of 6.9 MEDIUM (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N). The issue stems from the portal's failure to properly verify whether messages from the cluster network are trusted, allowing unauthenticated attackers to inject malicious data that the system will process as legitimate (Miggo).

When exploited, this vulnerability allows remote attackers to send malicious data that will be treated as trusted by the Liferay system. The CVSS scoring indicates low-level impacts on both confidentiality (VC:L) and integrity (VI:L), with no impact on availability (VA:N) (Liferay Advisory).

Fixed versions have been released including Liferay Portal fixed on master branch, Liferay DXP 2024.Q1.1, Liferay DXP 2023.Q4.1, Liferay DXP 2023.Q3.5, and Liferay DXP 7.3 update 36. Users are advised to upgrade to these patched versions (Liferay Advisory).