CVE-2025-62276 is a vulnerability identified in Liferay Portal and Liferay DXP products affecting versions 7.4.0 through 7.4.3.111 and several quarterly releases of DXP in 2023. The root cause is the use of incorrect cache-control HTTP headers in the Document Library and Adaptive Media modules, which govern how downloaded files are cached by web browsers. Instead of preventing sensitive files from being stored in the browser cache or ensuring they are properly expired, the headers allow these files to remain accessible locally after download. This flaw enables local users on the same machine to retrieve sensitive documents from the browser cache without requiring authentication or elevated privileges. The vulnerability is classified under CWE-525, which relates to the use of web browser cache containing sensitive information. The CVSS 4.0 score of 4.6 reflects a medium severity, considering the attack vector is local (AV:L), no privileges are required (PR:N), but user interaction is necessary (UI:A). The impact primarily concerns confidentiality, as unauthorized local users can access sensitive cached files, potentially leading to data leakage. There are no known exploits in the wild, and no patches have been linked yet, indicating that mitigation may currently rely on configuration changes or updates once available. This vulnerability affects multiple versions, including unsupported older releases, increasing the risk for organizations that have not maintained up-to-date Liferay installations.

For European organizations, this vulnerability poses a risk of sensitive data exposure through local access to cached files in web browsers. Organizations using Liferay Portal or DXP for document management or media delivery may inadvertently expose confidential documents to unauthorized local users, such as employees sharing workstations or in environments where endpoint security is weak. The impact is particularly significant for sectors handling sensitive personal data (e.g., GDPR-regulated data), intellectual property, or confidential business information. While remote exploitation is not feasible, insider threats or compromised endpoints could leverage this vulnerability to extract sensitive information. This could lead to compliance violations, reputational damage, and potential financial penalties under European data protection laws. The lack of authentication requirements and the persistence of cached files increase the window of exposure. Organizations with shared workstations, remote desktop environments, or insufficient endpoint controls are at heightened risk.

European organizations should immediately audit their Liferay Portal and DXP deployments to identify affected versions. Until official patches are released, administrators should consider disabling or restricting access to the Document Library and Adaptive Media modules for untrusted users. Implementing strict endpoint security controls, such as user session isolation, clearing browser caches regularly, and enforcing browser policies to limit caching of sensitive content, can reduce risk. Educate users about the risks of leaving sensitive files in browser caches, especially on shared or public machines. Monitoring local systems for unauthorized access to browser cache directories may help detect exploitation attempts. Once patches or updates are available from Liferay, prioritize their deployment. Additionally, review HTTP response headers related to cache-control in the affected modules and customize them to prevent caching of sensitive files if possible. Employ endpoint encryption and access controls to further protect cached data.