CVE-2025-62256: Liferay Portal and DXP do not properly restrict access to OpenAPI

The vulnerability allows remote attackers to access the OpenAPI YAML file without proper authorization. The root cause of this issue lies in the improper configuration of the authentication filter, which failed to apply to all relevant request dispatch types, such as FORWARD.

The analysis of the provided patches reveals that the core of the vulnerability is in the com.liferay.portal.security.auth.verifier.internal.tracker.AuthVerifierFilterTracker._toDictionary method. Before the patch, this method would overwrite configuration properties if multiple properties had the same key. The fix applied in commit 27b51dbae35bd6e4b415fb33ecf14b2144b5038f corrects this behavior by accumulating values for the same key into a list. This is crucial for correctly setting up the AuthVerifierFilter for multiple dispatchers, as specified in the component's properties.

When this vulnerability is exploited, a crafted URL would likely cause the application server to forward the request to the OpenAPI endpoint. Due to the bug in _toDictionary, the authentication filter would not have been configured to intercept forwarded requests, thus allowing unauthorized access. Therefore, the _toDictionary function is the primary vulnerable function as its incorrect logic leads to the security misconfiguration.

Another related change in com.liferay.portal.vulcan.internal.template.servlet.RESTClientHttpRequest (commit bc6138ce1be22babbd90dc2190f4dbe91c039334) adds a CSRF token to internal REST calls. This appears to be a secondary fix to ensure that internal services can still function correctly after the primary security gap was closed, rather than being the source of the vulnerability itself.