CVE-2025-62254: 
Java vulnerability analysis and mitigation

The vulnerability CVE-2025-62254 affects the ComboServlet component in Liferay Portal and Liferay DXP systems. Discovered and disclosed on October 23, 2025, this vulnerability impacts multiple versions including Liferay Portal 7.4.0 through 7.4.3.111 and various DXP versions (2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92, and 7.3 GA through update 35) (Liferay Advisory, NVD).

The vulnerability stems from the ComboServlet's failure to implement proper limitations on the number or size of files it combines. It has been assigned a CVSS 4.0 Base Score of 6.9 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (NVD).

The primary impact of this vulnerability is the potential for denial of service attacks. Attackers can exploit this vulnerability by creating very large responses through the URL query string, which can significantly impact system availability (Liferay Advisory, CERT-FR).

Fixed versions have been released to address this vulnerability. Organizations should upgrade to Liferay Portal 7.4.3.112, Liferay DXP 2024.Q1.1, DXP 2023.Q4.3, DXP 2023.Q3.6, or DXP 7.3 U36 as appropriate for their deployment (Liferay Advisory).