CVE-2025-62260 is a vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) affecting multiple versions of Liferay Portal and Liferay DXP. The root cause is the absence of limits on the number of objects returned by Headless API requests. This allows remote attackers to craft requests that retrieve excessively large datasets, overwhelming server resources such as memory and CPU. The consequence is a denial-of-service (DoS) condition where legitimate users may experience degraded performance or complete service outages. The vulnerability affects Liferay Portal versions 7.4.0 through 7.4.3.99, Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, and 7.3 GA through update 35, as well as older unsupported versions. Exploitation requires no authentication or user interaction and can be performed remotely over the network, increasing the attack surface. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and high impact on availability (VA:H), with no impact on confidentiality or integrity. No patches or exploits are currently publicly available, but the vulnerability is published and should be treated as a high risk. The lack of response size limits in the API is a design flaw that can be mitigated by implementing rate limiting, pagination, or maximum response size enforcement. Organizations relying on Liferay Portal for web content management or digital experience platforms should assess their exposure and prepare to apply fixes or mitigations promptly.

For European organizations, this vulnerability poses a significant risk to the availability of critical web portals and digital services powered by Liferay Portal. Denial-of-service attacks exploiting this flaw can disrupt business operations, customer access, and internal workflows, especially in sectors like government, finance, healthcare, and large enterprises where Liferay is commonly deployed. Service outages can lead to reputational damage, regulatory scrutiny, and financial losses. The ease of exploitation without authentication means that attackers can launch attacks from external networks, increasing the threat landscape. Additionally, organizations with public-facing APIs are particularly vulnerable to automated attacks that can consume excessive resources. The impact is magnified in environments with limited capacity for traffic filtering or where Liferay is a core component of digital infrastructure. Given the high CVSS score and the broad range of affected versions, the threat is substantial until mitigations or patches are applied.

1. Implement strict rate limiting and throttling on Headless API endpoints to restrict the number of requests and the volume of data returned per request. 2. Enforce pagination and maximum response size limits in API responses to prevent large data dumps. 3. Monitor API usage patterns and set alerts for abnormal spikes in request volume or response sizes. 4. Apply network-level protections such as Web Application Firewalls (WAFs) configured to detect and block suspicious API request patterns. 5. Restrict access to Headless APIs to trusted IP ranges or authenticated users where possible, even though the vulnerability does not require authentication. 6. Upgrade to the latest Liferay Portal or DXP versions once official patches addressing this vulnerability are released. 7. Conduct regular security assessments and penetration testing focused on API endpoints to identify similar resource consumption issues. 8. Educate development and operations teams about secure API design principles, including resource limiting and input validation.