Here are a few recent AppSec-related news items you may have missed.
- A use-after-free (write) has been found in popular PDF rendering library Poppler prior to 25.10.0 (CVE-2025-52885 CVSSv3=7.8), providing a vector for information exposure and possibly arbitrary code execution. Patch Poppler to 25.10.0; or, if your vendor has backported the fix, apply that.
- A parameter-validation flaw (IDOR) in Liferay’s Account Admin Web module allows attackers to leverage a user-controlled key to access privileged functions in the panel (CVE-2025-62242 CVSSv3=9.1). Issue exists in in Liferay Portal 7.4.3.4 through 7.4.3.111; and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92. Apply patches as appropriate; since it affects PII in many deployments, compliance and regulatory requirements may be in play.
Zero Research Updates. Subscribe today!
Poppler PDF library use-after-free
A use-after-free (write) has been found in popular PDF rendering library Poppler prior to 25.10.0 (CVE-2025-52885 CVSSv3=7.8), providing a vector for information exposure and possibly arbitrary code execution. Patch Poppler to 25.10.0; or, if your vendor has backported the fix, apply that.
PDF libraries like Poppler are ubiquitous, showing up in many unexpected applications or used in toolchains buried within Docker containers. It makes issues like this difficult to detect and manage: it’s often impossible using just a single tool. Use your SCA and Container Security solutions to hunt down places where it might be in your shipping applications, and use your endpoint scanners to identify the package.
You can also use system package managers to look for system-wide installs, with the caveat that this may not be the only way it’s installed. For example, on Debian-based Linux (including Ubuntu), use dpkg -l | grep -i poppler; on RPM-based distributions rpm -qa | grep -i poppler may be of use. To determine impact, examine logs for unusual crashes, segfaults, and related issues that are out of the ordinary or can be attributed to a poppler library.
Liferay Account Admin Web authorization bypass
A parameter-validation flaw (IDOR) in Liferay’s Account Admin Web module allows attackers to leverage a user-controlled key to access privileged functions in the panel (CVE-2025-62242 CVSSv3=9.1). Issue exists in in Liferay Portal 7.4.3.4 through 7.4.3.111; and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, and 7.4 GA through update 92. Apply patches as appropriate; since it affects PII in many deployments, compliance and regulatory requirements may be in play.
A lot of organizations use Liferay for everything from intranets to eCommerce; though customizable by developers, AppSec doesn’t always have sufficient visiblity. But they should: these deployments often hold sensitive configuration and user data, like any enterprise web application. Insecure Direct Object References (IDOR) opent the possibility for one authenticated user to access another’s data; in this case, privacy-related data in the form of user addresses.
Patch the affected Liferay modules promptly. Meanwhile, review custom themes and third-party plugins that call Liferay APIs to ensure they’re handling references correctly as well. Harden access controls so server-side logic does not trust client-supplied keys.