DNS Rebinding in Liferay Portal 7.4.x <=7.4.3.119 & DXP Q1-2024
CVE-2025-62266 Published on October 30, 2025
By default, Liferay Portal 7.4.0 through 7.4.3.119, and older unsupported versions, and Liferay DXP 2024.Q1.1 through 2024.Q1.5, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older unsupported versions is vulnerable to DNS rebinding attacks, which allows remote attackers to redirect users to arbitrary external URLs. This vulnerability can be mitigated by changing the redirect URL security from IP to domain.
Weakness Type
What is an Open Redirect Vulnerability?
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.
CVE-2025-62266 has been classified to as an Open Redirect vulnerability or weakness.
Products Associated with CVE-2025-62266
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2025-62266 are published in these products:
Affected Versions
Liferay Portal:- Version 7.4.0, <= 7.4.3.119 is affected.
- Version 7.4.13, <= 7.4.13-u92 is affected.
- Version 2023.Q3.1, <= 2023.Q3.10 is affected.
- Version 2023.Q4.0, <= 2023.Q4.10 is affected.
- Version 2024.Q1.1, <= 2024.Q1.5 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.