Fluid Attacks Database

Description

Liferay Portal Vulnerable to DoS via Crafted Headless API Request Liferay Portal 7.4.0 through 7.4.3.99, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not limit the number of objects returned from Headless API requests, which allows remote attackers to perform denial-of-service (DoS) attacks on the application by executing a request that returns a large number of objects.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	com.liferay.portal:release.portal.bom	>=7.4.0-ga1 <7.4.3.100	7.4.3.100

Aliases

1. CVE-2025-622602. NVD-2025-622603. OSV-2025-622604. GCVE-2025-62260

References

1. https://github.com/liferay/liferay-portal/commit/5f5c73913b0e7287f7de0b4e19987cc57844b6912. https://liferay.atlassian.net/browse/LPE-178003. https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62260

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.