Miggo Logo

CVE-2025-62276: Liferay Portal and DXP use an incorrect cache-control header

N/A

CVSS Score

Basic Information

EPSS Score
0.0189%
Published
11/1/2025
Updated
11/3/2025
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.liferay:com.liferay.adaptive.media.webmaven< 5.0.525.0.52
com.liferay.portal:com.liferay.portal.implmaven< 69.1.069.1.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is caused by an incorrect Cache-Control header being set on file downloads, which allows browsers to cache potentially sensitive files. An attacker with local access to a user's computer could then access these files from the browser's cache.

The analysis of the provided patches reveals two key locations where this vulnerability is addressed:

  1. com.liferay.portal.webserver.WebServerServlet.service: This servlet is responsible for serving files from the Document Library. The patch modifies the service method to check if the request is for a download (via the download parameter). If it is, the Cache-Control header is set to no-cache, preventing the browser from caching the file. Otherwise, it defaults to private.

  2. com.liferay.adaptive.media.web.internal.servlet.AMServlet.doGet: This servlet handles files for the Adaptive Media module. The patch applies the same logic to the doGet method, setting the Cache-Control header to no-cache for downloads to prevent caching.

Both of these functions are directly involved in processing file download requests and were responsible for setting the incorrect cache header. Therefore, they are the vulnerable functions that would appear in a runtime profile during the exploitation of this vulnerability.

Vulnerable functions

com.liferay.portal.webserver.WebServerServlet.service
portal-impl/src/com/liferay/portal/webserver/WebServerServlet.java
The 'service' method in 'WebServerServlet' was vulnerable because it set a 'Cache-Control' header to 'private' for all file downloads, allowing browsers to cache sensitive files. The patch introduces logic to check for a 'download' parameter and sets the 'Cache-Control' header to 'no-cache' to prevent caching.
com.liferay.adaptive.media.web.internal.servlet.AMServlet.doGet
modules/apps/adaptive-media/adaptive-media-web/src/main/java/com/liferay/adaptive/media/web/internal/servlet/AMServlet.java
The 'doGet' method in 'AMServlet' was vulnerable because it set a 'Cache-Control' header to 'private' for all file downloads from the adaptive media module, which allowed browsers to cache sensitive files. The patch introduces logic to check for a 'download' parameter and sets the 'Cache-Control' header to 'no-cache' to prevent caching.

WAF Protection Rules

WAF Rule

T** *o*um*nt Li*r*ry *n* t** ***ptiv* M**i* mo*ul*s in Li**r*y Port*l *.*.* t*rou** *.*.*.***, *n* ol**r unsupport** v*rsions, *n* Li**r*y *XP ****.Q*.* t*rou** ****.Q*.**, ****.Q*.* t*rou** ****.Q*.**, *.* ** t*rou** up**t* **, *n* ol**r unsupport**

Reasoning

T** vuln*r**ility is **us** *y *n in*orr**t `*****-*ontrol` *****r **in* s*t on *il* *ownlo**s, w*i** *llows *rows*rs to ***** pot*nti*lly s*nsitiv* *il*s. *n *tt**k*r wit* lo**l ****ss to * us*r's *omput*r *oul* t**n ****ss t**s* *il*s *rom t** *row