Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2025-62254

Good to know:

icon

Date: October 23, 2025

The ComboServlet in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not limit the number or size of the files it will combine, which allows remote attackers to create very large responses that lead to a denial of service attack via the URL query string.

Severity Score

Related Resources (9)

https://github.com/liferay/liferay-portal/commit/85d63e9d6e47e11074046cc4459d3b1ab3370536
https://github.com/liferay/liferay-portal
https://github.com/liferay/liferay-portal/commit/45e1a3a757bc38f7b9f8034909e90f1a56f160a5
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62254
https://github.com/liferay/liferay-portal/commit/def502837297d155ec2fd61044288e75230dd235
https://github.com/liferay/liferay-portal/commit/8328aaf7c6ebb3f76c7982256e028caeb48fb664
https://nvd.nist.gov/vuln/detail/CVE-2025-62254
https://liferay.atlassian.net/browse/LPE-17867
https://www.mend.io/vulnerability-database/CVE-2025-62254

Severity Score

Weakness Type (CWE)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

Top Fix

icon

Upgrade Version

Upgrade to version com.liferay.portal:com.liferay.portal.impl:97.0.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): NONE
Availability (A): LOW

Do you need more information?

Contact Us