N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-62257

GHSA ID

GHSA-8hw3-ghwv-crfh

EPSS Score

0.35285%

CWE

CWE-307

Published

10/30/2025

Updated

10/30/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-62257

CVE-2025-62257: Liferay Portal vulnerable to password enumeration

Password enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows remote attackers to determine a user’s password even if account lockout is enabled via brute force attack.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-62257

GHSA ID

GHSA-8hw3-ghwv-crfh

EPSS Score

0.35285%

CWE

CWE-307

Published

10/30/2025

Updated

10/30/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.liferay.portal:release.portal.bom	maven	>= 7.4.0-ga1, < 7.4.3.120	7.4.3.120

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis of the provided patches reveals that the password enumeration vulnerability (CVE-2025-62257) is located in the _authenticate method of the com.liferay.portal.security.auth.session.AuthenticatedSessionManagerImpl class. The key evidence is found in commit 45cffd5030ab78e8b005d9cfd6284311da978c68. The patch removes a block of code that, in the case of a failed authentication, would proceed to fetch the user and check for account lockout. This differential behavior is the root cause of the vulnerability, as it allows an attacker to infer information about user accounts. The fix ensures that all authentication failures result in a uniform AuthException, eliminating the information leak. The other commits (924a0a47007665693fe2d29623cb48a426a80266 and d21627ac07561c5063f611be631e63ff502ec8e7) are related to adding and modifying integration tests to verify the fix and do not contain vulnerable production code.

Vulnerable functions

com.liferay.portal.security.auth.session.AuthenticatedSessionManagerImpl._authenticate

portal-impl/src/com/liferay/portal/security/auth/session/AuthenticatedSessionManagerImpl.java

The vulnerability is in the `_authenticate` method. Before the patch, if an authentication attempt failed, the code would still fetch the user and check their lockout status. This created a side-channel, allowing an attacker to distinguish between invalid users, valid users with incorrect passwords, and locked-out users by observing different server responses or timing. This behavior enables password enumeration. The patch removes this differential handling by throwing a generic `AuthException` immediately upon any authentication failure.

WAF Protection Rules

WAF Rule

P*sswor* *num*r*tion vuln*r**ility in Li**r*y Port*l *.*.* t*rou** *.*.*.***, *n* ol**r unsupport** v*rsions, *n* Li**r*y *XP ****.Q*.* t*rou** ****.Q*.*, ****.Q*.* t*rou** ****.Q*.**, ****.Q*.* t*rou** ****.Q*.**, *.* ** t*rou** up**t* **, *n* ol**r

Reasoning

T** *n*lysis o* t** provi*** p*t***s r*v**ls t**t t** p*sswor* *num*r*tion vuln*r**ility (*V*-****-*****) is lo**t** in t** `_*ut**nti**t*` m*t*o* o* t** `*om.li**r*y.port*l.s**urity.*ut*.s*ssion.*ut**nti**t**S*ssionM*n***rImpl` *l*ss. T** k*y *vi**n

N/A

Basic Information

Concerned about an active attack path?

CVE-2025-62257: Liferay Portal vulnerable to password enumeration

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI