CVE-2025-62258: 
Java vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the Headless API of Liferay Portal and Liferay DXP, identified as CVE-2025-62258. The vulnerability affects Liferay Portal versions 7.4.0 through 7.4.3.107, and Liferay DXP versions 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions. The vulnerability was disclosed on October 27, 2025 (NVD, Liferay Advisory).

The vulnerability allows remote attackers to execute any Headless API via the endpoint parameter through a CSRF attack. The vulnerability has been assigned a CVSS v4.0 Base Score of 7.0 (High) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N, and a CVSS v3.1 Base Score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N (NVD).

The vulnerability could allow remote attackers to execute arbitrary Headless API calls through CSRF attacks, potentially leading to unauthorized actions being performed on behalf of authenticated users. The CVSS scores indicate high impact on integrity while maintaining low impact on confidentiality and no impact on availability (Liferay Advisory).

The vulnerability has been fixed in Liferay Portal version 7.4.3.108 and Liferay DXP versions 2024.Q1.1, 2023.Q4.1, 2023.Q3.5, and DXP 7.3 U36. Users are advised to upgrade to these or later versions to mitigate the vulnerability (Liferay Advisory).