CVE-2025-62250: Liferay Portal fails to verify messages from the cluster network is trusted

October 21, 2025

Improper Authentication in Liferay Portal 7.4.0 through 7.4.3.132, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to send malicious data to the Liferay Portal 7.4.0 through 7.4.3.132, and older unsupported versions, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions that will treat it as trusted data via unauthenticated cluster messages.

References

github.com/advisories/GHSA-6pgj-w687-9c8c
github.com/liferay/liferay-portal
liferay.atlassian.net/browse/LPE-17901
liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62250
nvd.nist.gov/vuln/detail/CVE-2025-62250

Code Behaviors & Features

Detect and mitigate CVE-2025-62250 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →