CVE-2025-62258

MEDIUM

Liferay DXP 7.4.0-7.4.3.107, 2023.Q3.1-2023.Q3.4, 7.4 GA-92, 7.3 GA-35 - CSRF via Headless API

Title source: llm

Description

CSRF vulnerability in Headless API in Liferay Portal 7.4.0 through 7.4.3.107, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to execute any Headless API via the `endpoint` parameter.

References (1)

Core 1

Core References

Vendor Advisory

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62258

Scores

CVSS v3 6.5

EPSS 0.0002

EPSS Percentile 7.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-352

Status published

Products (8)

com.liferay.portal/release.portal.bom 7.4.0-ga1 - 7.4.3.108Maven

liferay/digital_experience_platform 7.3 (41 CPE variants)

liferay/digital_experience_platform 7.4

liferay/digital_experience_platform 2023.q3.1

liferay/digital_experience_platform 2023.q3.2

liferay/digital_experience_platform 2023.q3.3

liferay/digital_experience_platform 2023.q3.4

liferay/liferay_portal 7.4.0 - 7.4.3.108

Published Oct 27, 2025

Tracked Since Feb 18, 2026