VYPR
Get started
← All advisories
Moderate severityNVD Advisory· Published Oct 23, 2025· Updated Oct 23, 2025

CVE-2025-62256

CVE-2025-62256

Description

Liferay Portal 7.4.0 through 7.4.3.109, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.7, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not properly restrict access to OpenAPI in certain circumstances, which allows remote attackers to access the OpenAPI YAML file via a crafted URL.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.liferay:com.liferay.portal.security.auth.verifierMaven
< 6.0.266.0.26

Affected products

2

Patches

3
bc6138ce1be2

LPS-203432 Pass along Cross-Site Request Forgery token in header, for cases where locally-executed REST calls are required. This prevents the regression from LPS-203799 from occurring, while resolving the originally scoped issue from LPS-203432.

https://github.com/liferay/liferay-portalChrisKianJan 12, 2024via ghsa
commit
1 file changed · +14 0
  • modules/apps/portal-vulcan/portal-vulcan-impl/src/main/java/com/liferay/portal/vulcan/internal/template/servlet/RESTClientHttpRequest.java+14 0 modified
    @@ -7,6 +7,7 @@
 
 import com.liferay.portal.kernel.servlet.HttpHeaders;
 import com.liferay.portal.kernel.servlet.HttpMethods;
+import com.liferay.portal.kernel.servlet.PortalSessionThreadLocal;
 import com.liferay.portal.kernel.util.ContentTypes;
 import com.liferay.portal.kernel.util.HashMapBuilder;
 import com.liferay.portal.kernel.util.PortalUtil;
@@ -68,6 +69,19 @@ public RESTClientHttpRequest(
 
 				return locale.toLanguageTag();
 			}
+		).put(
+			"X-CSRF-Token",
+			() -> {
+				HttpSession httpSession =
+					PortalSessionThreadLocal.getHttpSession();
+
+				if (httpSession != null) {
+					return (String)httpSession.getAttribute(
+						WebKeys.AUTHENTICATION_TOKEN + "#CSRF");
+				}
+
+				return null;
+			}
 		).build();
 		_httpServletRequest = httpServletRequest;
 	}
27b51dbae35b

LPS-203432 I18nServlet forwards requests so that is the only additional dispatch type that needs to be handled. And all filters registered by AuthVerifierFilterTracker need to execute.

https://github.com/liferay/liferay-portalStian SigvartsenDec 13, 2023via ghsa
commit
1 file changed · +15 20
  • modules/apps/portal-security/portal-security-auth-verifier/src/main/java/com/liferay/portal/security/auth/verifier/internal/tracker/AuthVerifierFilterTracker.java+15 20 modified
    @@ -18,6 +18,7 @@
 import com.liferay.portal.kernel.util.HashMapDictionary;
 import com.liferay.portal.kernel.util.HashMapDictionaryBuilder;
 import com.liferay.portal.kernel.util.MapUtil;
+import com.liferay.portal.kernel.util.StringUtil;
 import com.liferay.portal.servlet.filters.authverifier.AuthVerifierFilter;
 
 import java.io.IOException;
@@ -56,6 +57,8 @@
 		"default.registration.property=filter.init.auth.verifier.PortalSessionAuthVerifier.urls.includes=*",
 		"default.registration.property=filter.init.guest.allowed=true",
 		"default.remote.access.filter.service.ranking:Integer=-10",
+		"default.whiteboard.property=" + HttpWhiteboardConstants.HTTP_WHITEBOARD_FILTER_DISPATCHER + "=" + HttpWhiteboardConstants.DISPATCHER_FORWARD,
+		"default.whiteboard.property=" + HttpWhiteboardConstants.HTTP_WHITEBOARD_FILTER_DISPATCHER + "=" + HttpWhiteboardConstants.DISPATCHER_REQUEST,
 		"default.whiteboard.property=" + HttpWhiteboardConstants.HTTP_WHITEBOARD_FILTER_SERVLET + "=cxf-servlet",
 		"servlet.context.helper.select.filter=(!(liferay.auth.verifier=false))"
 	},
@@ -123,7 +126,18 @@ private Dictionary<String, Object> _toDictionary(
 				propertyValue = property.substring(index + 1);
 			}
 
-			dictionary.put(propertyKey, propertyValue);
+			Object existingPropertyValue = dictionary.get(propertyKey);
+
+			if (existingPropertyValue != null) {
+				List<String> strings = StringUtil.asList(existingPropertyValue);
+
+				strings.add(propertyValue);
+
+				dictionary.put(propertyKey, strings);
+			}
+			else {
+				dictionary.put(propertyKey, propertyValue);
+			}
 		}
 
 		return dictionary;
@@ -313,22 +327,6 @@ public void removedService(
 			remoteAccessFilterServiceRegistration.unregister();
 		}
 
-		private Dictionary<String, Object> _buildDefaultFilterProperties(
-			String filterName) {
-
-			HashMapDictionaryBuilder.HashMapDictionaryWrapper<String, Object>
-				properties =
-					new HashMapDictionaryBuilder.HashMapDictionaryWrapper<>();
-
-			properties.put("servlet-context-name", "");
-			properties.put("servlet-filter-name", filterName);
-			properties.put("url-pattern", "/o/headless-delivery/*");
-			properties.put(
-				"dispatcher", new String[] {"FORWARD", "INCLUDE", "REQUEST"});
-
-			return properties.build();
-		}
-
 		private Dictionary<String, Object> _buildPropertiesForAuditFilter(
 			ServiceReference<ServletContextHelper> serviceReference) {
 
@@ -385,9 +383,6 @@ private Dictionary<String, Object> _buildPropertiesForAuditFilter(
 					_defaultRemoteAccessFilterServiceRanking);
 			}
 
-			properties.putAll(
-				_buildDefaultFilterProperties("Remote Access Filter"));
-
 			return properties.build();
 		}
1ec03c02f2e0

LPS-203432 Add default filter properties

https://github.com/liferay/liferay-portalMirna GamaDec 12, 2023via ghsa
commit
1 file changed · +19 0
  • modules/apps/portal-security/portal-security-auth-verifier/src/main/java/com/liferay/portal/security/auth/verifier/internal/tracker/AuthVerifierFilterTracker.java+19 0 modified
    @@ -313,6 +313,22 @@ public void removedService(
 			remoteAccessFilterServiceRegistration.unregister();
 		}
 
+		private Dictionary<String, Object> _buildDefaultFilterProperties(
+			String filterName) {
+
+			HashMapDictionaryBuilder.HashMapDictionaryWrapper<String, Object>
+				properties =
+					new HashMapDictionaryBuilder.HashMapDictionaryWrapper<>();
+
+			properties.put("servlet-context-name", "");
+			properties.put("servlet-filter-name", filterName);
+			properties.put("url-pattern", "/o/headless-delivery/*");
+			properties.put(
+				"dispatcher", new String[] {"FORWARD", "INCLUDE", "REQUEST"});
+
+			return properties.build();
+		}
+
 		private Dictionary<String, Object> _buildPropertiesForAuditFilter(
 			ServiceReference<ServletContextHelper> serviceReference) {
 
@@ -369,6 +385,9 @@ private Dictionary<String, Object> _buildPropertiesForAuditFilter(
 					_defaultRemoteAccessFilterServiceRanking);
 			}
 
+			properties.putAll(
+				_buildDefaultFilterProperties("Remote Access Filter"));
+
 			return properties.build();
 		}

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.