Volerion logoVolerion
Volerion logoVolerion

Liferay Portal and DXP Denial-of-Service Vulnerability in ComboServlet

Vulnerability

A denial-of-service vulnerability has been identified in the ComboServlet of Liferay Portal versions 7.4.0 to 7.4.3.111, older unsupported versions, and Liferay DXP versions 2023.Q4.0 to 2023.Q4.2, 2023.Q3.1 to 2023.Q3.5, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions. The vulnerability arises because the ComboServlet does not restrict the number or size of files being combined, allowing remote attackers to generate excessively large responses that overwhelm the server, causing a denial-of-service condition via the URL query string.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing the server to become unresponsive or to fail to handle requests properly.

Remediation

Users can upgrade to Liferay Portal 7.4.3.112 or Liferay DXP versions 2024.Q1.1, 2023.Q4.3, 2023.Q3.6, or 7.3 U36 to address this vulnerability.

Added: Oct 23, 2025, 11:17 PM
Updated: Oct 23, 2025, 11:17 PM

Vulnerability Rating

Custom Algorithm
spread
3.1
impact
2.5
exploitability
7.4
remediation
7.7
relevance
0.8
threat
0.0
urgency
2.9
incentive
5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.