CVE-2025-62260

HIGH

Liferay Portal 7.4.0-7.4.3.99 & DXP 2023.Q3.1-2023.Q3.4, 7.4 GA-92, 7.3 GA-35 - DoS via Headless API

Title source: llm

Description

Liferay Portal 7.4.0 through 7.4.3.99, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not limit the number of objects returned from Headless API requests, which allows remote attackers to perform denial-of-service (DoS) attacks on the application by executing a request that returns a large number of objects.

References (1)

Core 1

Core References

Vendor Advisory

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62260

Scores

CVSS v3 7.5

EPSS 0.0018

EPSS Percentile 38.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-400

Status published

Products (8)

com.liferay.portal/release.portal.bom 7.4.0-ga1 - 7.4.3.100Maven

liferay/digital_experience_platform 7.3 (41 CPE variants)

liferay/digital_experience_platform 7.4

liferay/digital_experience_platform 2023.q3.1

liferay/digital_experience_platform 2023.q3.2

liferay/digital_experience_platform 2023.q3.3

liferay/digital_experience_platform 2023.q3.4

liferay/liferay_portal 7.4.0 - 7.4.3.99

Published Oct 27, 2025

Tracked Since Feb 18, 2026