N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-62254

GHSA ID

GHSA-q95h-87j6-273x

EPSS Score

0.39975%

CWE

CWE-22

Published

10/24/2025

Updated

10/24/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-62254

CVE-2025-62254: Liferay Portal ComboServlet denial of service via large file combination

The ComboServlet in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not limit the number or size of the files it will combine, which allows remote attackers to create very large responses that lead to a denial of service attack via the URL query string.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-62254

GHSA ID

GHSA-q95h-87j6-273x

EPSS Score

0.39975%

CWE

CWE-22

Published

10/24/2025

Updated

10/24/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.liferay.portal:com.liferay.portal.impl	maven	< 97.0.0	97.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description clearly points to the ComboServlet as the source of a denial-of-service vulnerability due to its failure to limit the number and size of files it combines. The provided commit patches all modify the com.liferay.portal.servlet.ComboServlet.java file, specifically within the doService method. The series of commits shows the evolution of a fix: first, introducing a configurable limit (combo.max.files), and then refining the logic to enforce this limit early in the request processing cycle within the doService method. The core of the vulnerability is the absence of a check on the number of requested files, which is precisely what the patches add. Therefore, the doService method is the single, clear point of vulnerability that would be exercised during an exploit.

Vulnerable functions

com.liferay.portal.servlet.ComboServlet.doService

portal-impl/src/com/liferay/portal/servlet/ComboServlet.java

The `doService` method in `ComboServlet` is responsible for processing requests to combine multiple files (like CSS or JS) into a single response. Before the patch, this method did not limit the number of files that could be specified in the `path` parameter of the request. An attacker could craft a URL with a very large number of file paths, causing the server to expend significant resources fetching, combining, and compressing these files. This excessive resource consumption leads to a denial of service, making the application unresponsive to legitimate users.

WAF Protection Rules

WAF Rule

T** *om*oS*rvl*t in Li**r*y Port*l *.*.* t*rou** *.*.*.***, *n* ol**r unsupport** v*rsions, *n* Li**r*y *XP ****.Q*.* t*rou** ****.Q*.*, ****.Q*.* t*rou** ****.Q*.*, *.* ** t*rou** up**t* **, *.* ** t*rou** up**t* **, *n* ol**r unsupport** v*rsions

Reasoning

T** vuln*r**ility **s*ription *l**rly points to t** `*om*oS*rvl*t` *s t** sour** o* * **ni*l-o*-s*rvi** vuln*r**ility *u* to its **ilur* to limit t** num**r *n* siz* o* *il*s it *om*in*s. T** provi*** *ommit p*t***s *ll mo*i*y t** `*om.li**r*y.port*l

N/A

Basic Information

Concerned about an active attack path?

CVE-2025-62254: Liferay Portal ComboServlet denial of service via large file combination

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI