CVE-2025-62241 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting Liferay DXP versions 2023.Q4.0 through 2023.Q4.5. The flaw arises from an Insecure Direct Object Reference (IDOR) in the handling of shipment addresses within the CommerceOrderPortlet component. Specifically, remote authenticated users can manipulate the _com_liferay_commerce_order_web_internal_portlet_CommerceOrderPortlet_commerceOrderId parameter to access shipment address data belonging to other virtual instances hosted on the same Liferay DXP deployment. Virtual instances are isolated tenant environments within Liferay, and this vulnerability breaks that isolation, allowing cross-tenant data leakage. The vulnerability does not require user interaction and can be exploited remotely with low attack complexity, but it does require the attacker to be authenticated. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and low impact on confidentiality (VC:L), with no impact on integrity or availability. No patches or known exploits are currently available, but the vulnerability is publicly disclosed and should be addressed promptly. This issue highlights a critical design flaw in access control enforcement for multi-tenant environments in Liferay DXP's commerce module.

The primary impact of CVE-2025-62241 is unauthorized disclosure of shipment address information across virtual instances, which compromises confidentiality. For European organizations, this could lead to exposure of sensitive customer or partner shipping data, potentially violating GDPR and other data protection regulations. The breach of tenant isolation undermines trust in multi-tenant deployments and could expose business-sensitive logistics information. While the vulnerability does not affect integrity or availability, the leakage of shipment addresses could facilitate further targeted attacks such as social engineering or fraud. Organizations operating e-commerce or supply chain portals on Liferay DXP are at higher risk. The medium severity score reflects the moderate impact and the requirement for authenticated access, but the ease of exploitation and cross-tenant data leakage make it a significant concern for enterprises handling sensitive commerce data.

To mitigate CVE-2025-62241, organizations should first apply any official patches or updates from Liferay once available. In the absence of patches, administrators should review and tighten access control policies for virtual instances, ensuring strict tenant isolation is enforced at the application and database layers. Implementing additional validation on the commerceOrderId parameter to verify ownership before disclosing shipment data is critical. Monitoring and logging access to commerce order data can help detect anomalous cross-tenant access attempts. Restricting access to the CommerceOrderPortlet to only trusted users and roles reduces the attack surface. Network segmentation and multi-factor authentication for portal access can further reduce risk. Regular security assessments and penetration testing focused on multi-tenancy controls are recommended to identify similar issues proactively.