Moderate severityNVD Advisory· Published Oct 29, 2025· Updated Oct 30, 2025
CVE-2025-62257
CVE-2025-62257
Description
Password enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions allows remote attackers to determine a user’s password even if account lockout is enabled via brute force attack.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.liferay.portal:release.portal.bomMaven | >= 7.4.0-ga1, < 7.4.3.120 | 7.4.3.120 |
Affected products
2- Liferay/DXPv5Range: 7.4.13
Patches
31 file changed · +1 −1
modules/apps/user/user-test/src/testIntegration/java/com/liferay/user/service/test/UserLocalServiceTest.java+1 −1 modified@@ -430,7 +430,7 @@ public void testGetUserGroupUsers() throws Exception { } @Test - public void testLockoutUser() throws Exception { + public void testLockout() throws Exception { User user = UserTestUtil.addUser(); String password = "password";
924a0a470076LPS-164371 Add Integration Test
1 file changed · +71 −0
modules/apps/user/user-test/src/testIntegration/java/com/liferay/user/service/test/UserLocalServiceTest.java+71 −0 modified@@ -22,6 +22,7 @@ import com.liferay.portal.kernel.exception.PasswordExpiredException; import com.liferay.portal.kernel.exception.PortalException; import com.liferay.portal.kernel.exception.RequiredRoleException; +import com.liferay.portal.kernel.exception.UserLockoutException; import com.liferay.portal.kernel.json.JSONFactoryUtil; import com.liferay.portal.kernel.model.Company; import com.liferay.portal.kernel.model.Group; @@ -32,6 +33,7 @@ import com.liferay.portal.kernel.model.User; import com.liferay.portal.kernel.model.UserGroup; import com.liferay.portal.kernel.model.role.RoleConstants; +import com.liferay.portal.kernel.security.auth.AuthException; import com.liferay.portal.kernel.security.auth.Authenticator; import com.liferay.portal.kernel.security.permission.PermissionChecker; import com.liferay.portal.kernel.security.permission.PermissionCheckerFactoryUtil; @@ -427,6 +429,75 @@ public void testGetUserGroupUsers() throws Exception { ListUtil.toLongArray(userGroupUsers, User.USER_ID_ACCESSOR))); } + @Test + public void testLockoutUser() throws Exception { + User user = UserTestUtil.addUser(); + + String password = "password"; + + user = _userLocalService.updatePassword( + user.getUserId(), password, password, false, true); + + Assert.assertEquals( + Authenticator.SUCCESS, + _userLocalService.authenticateByEmailAddress( + user.getCompanyId(), user.getEmailAddress(), password, null, + null, null)); + + PasswordPolicy passwordPolicy = user.getPasswordPolicy(); + + passwordPolicy.setLockout(true); + passwordPolicy.setMaxFailure(1); + + _passwordPolicyLocalService.updatePasswordPolicy(passwordPolicy); + + int failedLoginAttempts = user.getFailedLoginAttempts(); + + Assert.assertEquals( + Authenticator.FAILURE, + _userLocalService.authenticateByEmailAddress( + user.getCompanyId(), user.getEmailAddress(), + RandomTestUtil.randomString(), null, null, null)); + + try { + _userLocalService.authenticateByEmailAddress( + user.getCompanyId(), user.getEmailAddress(), password, null, + null, null); + } + catch (PortalException portalException) { + Assert.assertEquals( + UserLockoutException.PasswordPolicyLockout.class, + portalException.getClass()); + } + + try { + _userLocalService.authenticateByEmailAddress( + user.getCompanyId(), user.getEmailAddress(), + RandomTestUtil.randomString(), null, null, null); + } + catch (PortalException portalException) { + Assert.assertEquals( + AuthException.class, portalException.getClass()); + } + + user = _userLocalService.fetchUser(user.getUserId()); + + Assert.assertEquals( + failedLoginAttempts + 3, user.getFailedLoginAttempts()); + + passwordPolicy = user.getPasswordPolicy(); + + passwordPolicy.setLockout(false); + + _passwordPolicyLocalService.updatePasswordPolicy(passwordPolicy); + + Assert.assertEquals( + Authenticator.SUCCESS, + _userLocalService.authenticateByEmailAddress( + user.getCompanyId(), user.getEmailAddress(), password, null, + null, null)); + } + @Test public void testSearchCounts() throws Exception {
45cffd5030abLPS-164371 Fix lockout issue
1 file changed · +1 −11
portal-impl/src/com/liferay/portal/security/auth/session/AuthenticatedSessionManagerImpl.java+1 −11 modified@@ -463,21 +463,11 @@ else if (authType.equals(CompanyConstants.AUTH_TYPE_ID)) { headerMap, parameterMap, resultsMap); } - User user = (User)resultsMap.get("user"); - if (authResult != Authenticator.SUCCESS) { - if (user != null) { - user = UserLocalServiceUtil.fetchUser(user.getUserId()); - } - - if (user != null) { - UserLocalServiceUtil.checkLockout(user); - } - throw new AuthException(); } - return user; + return (User)resultsMap.get("user"); } private static final Log _log = LogFactoryUtil.getLog(
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-8hw3-ghwv-crfhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-62257ghsaADVISORY
- github.com/liferay/liferay-portal/commit/45cffd5030ab78e8b005d9cfd6284311da978c68ghsaWEB
- github.com/liferay/liferay-portal/commit/924a0a47007665693fe2d29623cb48a426a80266ghsaWEB
- github.com/liferay/liferay-portal/commit/d21627ac07561c5063f611be631e63ff502ec8e7ghsaWEB
- liferay.atlassian.net/browse/LPE-17692ghsaWEB
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62257ghsaWEB
News mentions
0No linked articles in our index yet.