Miggo Logo

CVE-2025-62254: Liferay Portal ComboServlet denial of service via large file combination

N/A

CVSS Score

Basic Information

EPSS Score
0.39975%
Published
10/24/2025
Updated
10/24/2025
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.liferay.portal:com.liferay.portal.implmaven< 97.0.097.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description clearly points to the ComboServlet as the source of a denial-of-service vulnerability due to its failure to limit the number and size of files it combines. The provided commit patches all modify the com.liferay.portal.servlet.ComboServlet.java file, specifically within the doService method. The series of commits shows the evolution of a fix: first, introducing a configurable limit (combo.max.files), and then refining the logic to enforce this limit early in the request processing cycle within the doService method. The core of the vulnerability is the absence of a check on the number of requested files, which is precisely what the patches add. Therefore, the doService method is the single, clear point of vulnerability that would be exercised during an exploit.

Vulnerable functions

com.liferay.portal.servlet.ComboServlet.doService
portal-impl/src/com/liferay/portal/servlet/ComboServlet.java
The `doService` method in `ComboServlet` is responsible for processing requests to combine multiple files (like CSS or JS) into a single response. Before the patch, this method did not limit the number of files that could be specified in the `path` parameter of the request. An attacker could craft a URL with a very large number of file paths, causing the server to expend significant resources fetching, combining, and compressing these files. This excessive resource consumption leads to a denial of service, making the application unresponsive to legitimate users.

WAF Protection Rules

WAF Rule

T** *om*oS*rvl*t in Li**r*y Port*l *.*.* t*rou** *.*.*.***, *n* ol**r unsupport** v*rsions, *n* Li**r*y *XP ****.Q*.* t*rou** ****.Q*.*, ****.Q*.* t*rou** ****.Q*.*, *.* ** t*rou** up**t* **, *.* ** t*rou** up**t* **, *n* ol**r unsupport** v*rsions

Reasoning

T** vuln*r**ility **s*ription *l**rly points to t** `*om*oS*rvl*t` *s t** sour** o* * **ni*l-o*-s*rvi** vuln*r**ility *u* to its **ilur* to limit t** num**r *n* siz* o* *il*s it *om*in*s. T** provi*** *ommit p*t***s *ll mo*i*y t** `*om.li**r*y.port*l