CVE-2025-62275: 
Java vulnerability analysis and mitigation

CVE-2025-62275 is a security vulnerability discovered in Liferay Portal and Liferay DXP platforms, disclosed on October 31, 2025. The vulnerability affects Liferay Portal versions 7.4.0 through 7.4.3.111 (and older unsupported versions), as well as Liferay DXP versions 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, and 7.4 GA through update 92 (Liferay Advisory).

The vulnerability stems from a permission checking failure in the Blogs component, where the system does not properly verify permissions for images within blog entries. The severity of this vulnerability has been rated with a CVSS v4.0 score of 6.9 (Medium), with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. The vulnerability is classified under CWE-863 (Incorrect Authorization) (NVD Database).

The vulnerability allows remote attackers to view images in blog entries through crafted URLs, potentially exposing sensitive information that should be restricted. This impacts the confidentiality of data stored within blog entries, particularly affecting organizations that use Liferay's blogging functionality to share internal or restricted content (Liferay Advisory).

Organizations are advised to upgrade to the fixed versions: Liferay Portal 7.4.3.112 or Liferay DXP 2024.Q1.1. These versions include patches that address the permission checking vulnerability (Liferay Advisory).