CVE-2025-62259: Liferay Portal Does Not Limit Access to APIs Before Email Verification

October 28, 2025 (updated October 29, 2025)

Liferay Portal 7.4.0 through 7.4.3.109, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not limit access to APIs before a user has verified their email address, which allows remote users to access and edit content via the API.

References

github.com/advisories/GHSA-gv7w-jh8g-vr73
github.com/liferay/liferay-portal
liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62259
nvd.nist.gov/vuln/detail/CVE-2025-62259

Code Behaviors & Features

Detect and mitigate CVE-2025-62259 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →