logo

Database

Lack of data validation - Path Traversal In com.liferay.portal:com.liferay.portal.impl

Description

Liferay Portal ComboServlet denial of service via large file combination The ComboServlet in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not limit the number or size of the files it will combine, which allows remote attackers to create very large responses that lead to a denial of service attack via the URL query string.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-622542. NVD-2025-622543. OSV-2025-622544. GCVE-2025-62254

References

1. https://github.com/liferay/liferay-portal/commit/45e1a3a757bc38f7b9f8034909e90f1a56f160a52. https://github.com/liferay/liferay-portal/commit/8328aaf7c6ebb3f76c7982256e028caeb48fb6643. https://github.com/liferay/liferay-portal/commit/85d63e9d6e47e11074046cc4459d3b1ab33705364. https://github.com/liferay/liferay-portal/commit/def502837297d155ec2fd61044288e75230dd2355. https://liferay.atlassian.net/browse/LPE-178676. https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62254

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.