CVE-2025-62247 — Liferay Portal and DXP are Missing Authorization in Collection Provider

Description

Missing Authorization in Collection Provider component in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 allows instance users to read and select unauthorized Blueprints through the Collection Providers across instances.

How to fix CVE-2025-62247

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2025-62247 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 3.0.84

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-62247
PATCHgithub.com/liferay/liferay-portal
WEBgithub.com/liferay/liferay-portal/commit/019d703943ef58fb7bd3f30fe680c02c2756f86b
WEBliferay.atlassian.net/browse/LPE-18297