N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-62256

GHSA ID

GHSA-j82q-c85j-xw4w

EPSS Score

CWE

CWE-862

Published

10/23/2025

Updated

10/23/2025

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-62256

CVE-2025-62256: Liferay Portal and DXP do not properly restrict access to OpenAPI

Liferay Portal 7.4.0 through 7.4.3.109, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.7, 7.4 GA through update 92, and older unsupported versions does not properly restrict access to OpenAPI in certain circumstances, which allows remote attackers to access the OpenAPI YAML file via a crafted URL.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-62256

CVE-2025-62256:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-62256

GHSA ID

GHSA-j82q-c85j-xw4w

EPSS Score

CWE

CWE-862

Published

10/23/2025

Updated

10/23/2025

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.liferay:com.liferay.portal.security.auth.verifier	maven	< 6.0.26	6.0.26

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability allows remote attackers to access the OpenAPI YAML file without proper authorization. The root cause of this issue lies in the improper configuration of the authentication filter, which failed to apply to all relevant request dispatch types, such as FORWARD.

The analysis of the provided patches reveals that the core of the vulnerability is in the com.liferay.portal.security.auth.verifier.internal.tracker.AuthVerifierFilterTracker._toDictionary method. Before the patch, this method would overwrite configuration properties if multiple properties had the same key. The fix applied in commit 27b51dbae35bd6e4b415fb33ecf14b2144b5038f corrects this behavior by accumulating values for the same key into a list. This is crucial for correctly setting up the AuthVerifierFilter for multiple dispatchers, as specified in the component's properties.

When this vulnerability is exploited, a crafted URL would likely cause the application server to forward the request to the OpenAPI endpoint. Due to the bug in _toDictionary, the authentication filter would not have been configured to intercept forwarded requests, thus allowing unauthorized access. Therefore, the _toDictionary function is the primary vulnerable function as its incorrect logic leads to the security misconfiguration.

Another related change in com.liferay.portal.vulcan.internal.template.servlet.RESTClientHttpRequest (commit bc6138ce1be22babbd90dc2190f4dbe91c039334) adds a CSRF token to internal REST calls. This appears to be a secondary fix to ensure that internal services can still function correctly after the primary security gap was closed, rather than being the source of the vulnerability itself.

Vulnerable functions

com.liferay.portal.security.auth.verifier.internal.tracker.AuthVerifierFilterTracker._toDictionary

modules/apps/portal-security/portal-security-auth-verifier/src/main/java/com/liferay/portal/security/auth/verifier/internal/tracker/AuthVerifierFilterTracker.java

The `_toDictionary` method was responsible for parsing filter configuration properties. The original implementation would overwrite properties with the same key. This was particularly problematic for the 'dispatcher' property of the authentication filter. The fix introduces logic to handle multiple values for the same key by creating a list of values. This ensures that the authentication filter is registered for all necessary dispatch types (e.g., REQUEST, FORWARD), preventing an authorization bypass when a request is forwarded to a protected resource like the OpenAPI YAML file.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-62256: Liferay Portal and DXP do not properly restrict access to OpenAPI

CVE-2025-62256:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

N/A

N/A

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

CVE-2025-62256: Liferay Portal and DXP do not properly restrict access to OpenAPI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI