CVE-2025-62256: 
Java vulnerability analysis and mitigation

A vulnerability (CVE-2025-62256) was discovered in Liferay Portal and DXP systems that allows unauthorized access to OpenAPI YAML files. The vulnerability affects Liferay Portal versions 7.4.0 through 7.4.3.109, and multiple versions of Liferay DXP including 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.7, 7.4 GA through update 92, and 7.3 GA through update 35. This security flaw was disclosed on October 23, 2025, and has been assigned a CVSS v4.0 score of 6.9 (Medium) (Liferay Advisory).

The vulnerability stems from improper configuration of the authentication filter in the com.liferay.portal.security.auth.verifier.internal.tracker.AuthVerifierFilterTracker._toDictionary method. The root cause lies in the method's behavior of overwriting configuration properties when multiple properties share the same key, particularly affecting the 'dispatcher' property of the authentication filter. This implementation flaw allows attackers to bypass authorization when requests are forwarded to protected resources like the OpenAPI YAML file. The vulnerability is classified as CWE-862 (Missing Authorization) (Miggo Analysis).

When exploited, this vulnerability allows remote attackers to access OpenAPI YAML files through crafted URLs without proper authorization. The exposure of OpenAPI documentation could potentially reveal sensitive information about the system's API structure and endpoints (NVD).

The vulnerability has been patched in Liferay Portal version 7.4.3.110 and several DXP versions including 2024.Q1.1, 2023.Q4.6, 2023.Q3.8, and 7.3 U36. Organizations running affected versions should upgrade to these patched versions to address the security issue (Liferay Advisory).