VYPR
Get started
← All advisories
Moderate severityNVD Advisory· Published Oct 23, 2025· Updated Oct 24, 2025

CVE-2025-62254

CVE-2025-62254

Description

The ComboServlet in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not limit the number or size of the files it will combine, which allows remote attackers to create very large responses that lead to a denial of service attack via the URL query string.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.liferay.portal:com.liferay.portal.implMaven
< 97.0.097.0.0

Affected products

2

Patches

4
8328aaf7c6eb

LPS-200583 Fail as soon as possible. Combo will retrieve all requested resources only if the number of such resources is not higher than combo.max.files

https://github.com/liferay/liferay-portalDaniel SanzDec 19, 2023via ghsa
commit
1 file changed · +15 18
  • portal-impl/src/com/liferay/portal/servlet/ComboServlet.java+15 18 modified
    @@ -185,6 +185,21 @@ protected void doService(
 			return;
 		}
 
+		if ((PropsValues.COMBO_MAX_FILES > 0) &&
+			(modulePathsSet.size() > PropsValues.COMBO_MAX_FILES)) {
+
+			httpServletResponse.setHeader(
+				HttpHeaders.CACHE_CONTROL,
+				HttpHeaders.CACHE_CONTROL_NO_CACHE_VALUE);
+			httpServletResponse.setStatus(HttpServletResponse.SC_BAD_REQUEST);
+
+			if (_log.isWarnEnabled()) {
+				_log.warn("ComboServlet request exceeded maximum file count");
+			}
+
+			return;
+		}
+
 		String[] modulePaths = modulePathsSet.toArray(new String[0]);
 
 		String extension = StringPool.BLANK;
@@ -307,24 +322,6 @@ protected void doService(
 			if (cacheEnabled && (modulePathsString != null) &&
 				!PropsValues.COMBO_CHECK_TIMESTAMP) {
 
-				if (PropsValues.COMBO_MAX_FILES > 0 &&
-					modulePaths.length > PropsValues.COMBO_MAX_FILES) {
-
-					httpServletResponse.setHeader(
-						HttpHeaders.CACHE_CONTROL,
-						HttpHeaders.CACHE_CONTROL_NO_CACHE_VALUE);
-
-					httpServletResponse.setStatus(
-						HttpServletResponse.SC_BAD_REQUEST);
-
-					if (_log.isWarnEnabled()) {
-						_log.warn(
-							"ComboServlet request exceeded maximum file count");
-					}
-
-					return;
-				}
-
 				_bytesArrayPortalCache.put(modulePathsString, bytesArray);
 			}
 		}
45e1a3a757bc

LPS-200583 Simplify: enforce number of files for the current request is not higher than combo.max.files value. This still allows caching more files than combo.max.files globally, because we cache many responses. We guarantee however that no element in cache contains more than combo.max.files

https://github.com/liferay/liferay-portalDaniel SanzDec 19, 2023via ghsa
commit
1 file changed · +3 17
  • portal-impl/src/com/liferay/portal/servlet/ComboServlet.java+3 17 modified
    @@ -307,23 +307,9 @@ protected void doService(
 			if (cacheEnabled && (modulePathsString != null) &&
 				!PropsValues.COMBO_CHECK_TIMESTAMP) {
 
-				if (modulePaths.length <= PropsValues.COMBO_MAX_FILES) {
-					int totalFilesCount = 0;
+				if (PropsValues.COMBO_MAX_FILES > 0 &&
+					modulePaths.length > PropsValues.COMBO_MAX_FILES) {
 
-					List<String> keys = _bytesArrayPortalCache.getKeys();
-
-					for (String key : keys) {
-						byte[][] curBytesArray = _bytesArrayPortalCache.get(
-							key);
-
-						totalFilesCount += curBytesArray.length;
-
-						if (totalFilesCount > PropsValues.COMBO_MAX_FILES) {
-							return;
-						}
-					}
-				}
-				else {
 					httpServletResponse.setHeader(
 						HttpHeaders.CACHE_CONTROL,
 						HttpHeaders.CACHE_CONTROL_NO_CACHE_VALUE);
@@ -333,7 +319,7 @@ protected void doService(
 
 					if (_log.isWarnEnabled()) {
 						_log.warn(
-							"ComboServlet request exceeded maximum file count")
+							"ComboServlet request exceeded maximum file count");
 					}
 
 					return;
def502837297

LPS-200583 - Check max files against modulePaths.length, and add error handling

https://github.com/liferay/liferay-portalKrešimir ČokoDec 19, 2023via ghsa
commit
1 file changed · +16 1
  • portal-impl/src/com/liferay/portal/servlet/ComboServlet.java+16 1 modified
    @@ -307,7 +307,7 @@ protected void doService(
 			if (cacheEnabled && (modulePathsString != null) &&
 				!PropsValues.COMBO_CHECK_TIMESTAMP) {
 
-				if (PropsValues.COMBO_MAX_FILES != -1) {
+				if (modulePaths.length <= PropsValues.COMBO_MAX_FILES) {
 					int totalFilesCount = 0;
 
 					List<String> keys = _bytesArrayPortalCache.getKeys();
@@ -323,6 +323,21 @@ protected void doService(
 						}
 					}
 				}
+				else {
+					httpServletResponse.setHeader(
+						HttpHeaders.CACHE_CONTROL,
+						HttpHeaders.CACHE_CONTROL_NO_CACHE_VALUE);
+
+					httpServletResponse.setStatus(
+						HttpServletResponse.SC_BAD_REQUEST);
+
+					if (_log.isWarnEnabled()) {
+						_log.warn(
+							"ComboServlet request exceeded maximum file count")
+					}
+
+					return;
+				}
 
 				_bytesArrayPortalCache.put(modulePathsString, bytesArray);
 			}
85d63e9d6e47

LPS-200583 - Add a portal property to limit the amount of files that can be requested at once by the ComboServlet

https://github.com/liferay/liferay-portalKrešimir ČokoDec 14, 2023via ghsa
commit
4 files changed · +29 0
  • portal-impl/src/com/liferay/portal/servlet/ComboServlet.java+17 0 modified
    @@ -307,6 +307,23 @@ protected void doService(
 			if (cacheEnabled && (modulePathsString != null) &&
 				!PropsValues.COMBO_CHECK_TIMESTAMP) {
 
+				if (PropsValues.COMBO_MAX_FILES != -1) {
+					int totalFilesCount = 0;
+
+					List<String> keys = _bytesArrayPortalCache.getKeys();
+
+					for (String key : keys) {
+						byte[][] curBytesArray = _bytesArrayPortalCache.get(
+							key);
+
+						totalFilesCount += curBytesArray.length;
+
+						if (totalFilesCount > PropsValues.COMBO_MAX_FILES) {
+							return;
+						}
+					}
+				}
+
 				_bytesArrayPortalCache.put(modulePathsString, bytesArray);
 			}
 		}
  • portal-impl/src/com/liferay/portal/util/PropsValues.java+3 0 modified
    @@ -338,6 +338,9 @@ public class PropsValues {
 		GetterUtil.getLong(
 			PropsUtil.get(PropsKeys.COMBO_CHECK_TIMESTAMP_INTERVAL));
 
+	public static final int COMBO_MAX_FILES = GetterUtil.getInteger(
+		PropsUtil.get(PropsKeys.COMBO_MAX_FILES), -1);
+
 	public static final String COMPANY_DEFAULT_HOME_URL = PropsUtil.get(
 		PropsKeys.COMPANY_DEFAULT_HOME_URL);
  • portal-impl/src/portal.properties+7 0 modified
    @@ -6104,6 +6104,13 @@
     #
     combo.check.timestamp.interval=1000
 
+    #
+    # Set the maximum number of files allowed in the cache.
+    #
+    # Env: LIFERAY_COMBO_PERIOD_MAX_PERIOD_FILES
+    #
+    combo.max.files=100
+
 ##
 ## Content Delivery Network
 ##
  • portal-kernel/src/com/liferay/portal/kernel/util/PropsKeys.java+2 0 modified
    @@ -410,6 +410,8 @@ public interface PropsKeys {
 	public static final String COMBO_CHECK_TIMESTAMP_INTERVAL =
 		"combo.check.timestamp.interval";
 
+	public static final String COMBO_MAX_FILES = "combo.max.files";
+
 	public static final String COMMUNITIES_CONTROL_PANEL_MEMBERS_VISIBLE =
 		"communities.control.panel.members.visible";

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.