CVE-2025-62247

Missing Authorization in Collection Provider component in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.9, 2025.Q1.0 through 2025.Q1.16, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 allows instance users to read and select unauthorized Blueprints through the Collection Providers across instances.

Published: Oct 22, 2025
Updated: Oct 23, 2025
CVE: CVE-2025-62247
GHSA: GHSA-cqwv-9xh5-25fg
Severity: Low
Exploit:

No technical information available.

CWEs:

CWE-862

Affected Software
References

Software	From	Fixed in
com.liferay / com.liferay.search.experiences.service	-	3.0.84.x

https://github.com/liferay/liferay-portal/commit/019d703943ef58fb7bd3f30fe680c02c2756f86b
https://liferay.atlassian.net/browse/LPE-18297
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62247

Vulnerability Database

CVE-2025-62247

Deep Security Visibility Without the Complexity