CVE-2025-3602 in Liferay
Summary
by MITRE • 06/16/2025
Liferay Portal 7.4.0 through 7.4.3.97, and Liferay DXP 2023.Q3.1 through 2023.Q3.2, 7.4 GA through update 92, 7.3 GA through update 35, and 7.2 fix pack 8 through fix pack 20 does not limit the depth of a GraphQL queries, which allows remote attackers to perform denial-of-service (DoS) attacks on the application by executing complex queries.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 12/16/2025
This vulnerability exists in Liferay Portal and Liferay DXP versions within specific ranges where the GraphQL query processing lacks proper depth limitation mechanisms. The flaw allows remote attackers to construct malicious GraphQL queries that can traverse deeply nested object relationships without restriction, leading to excessive computational overhead and resource consumption. The vulnerability is classified as a denial-of-service condition where attackers can overwhelm the system's processing capabilities through carefully crafted queries that exploit the unlimited query depth feature.
The technical implementation of this vulnerability stems from insufficient input validation and query processing controls within the GraphQL execution engine. When a GraphQL query is submitted to the vulnerable system, the parser does not enforce maximum depth limits on nested fields or relationships, allowing attackers to construct queries that recursively traverse multiple levels of data structures. This creates a path for resource exhaustion attacks where the server's CPU and memory consumption increases exponentially with query complexity, ultimately leading to service unavailability for legitimate users. The vulnerability aligns with CWE-400 which addresses excessive resource consumption and CWE-693 which covers protection mechanism failures.
The operational impact of CVE-2025-3602 is significant for organizations running affected Liferay versions, as it provides attackers with a straightforward method to disrupt services without requiring privileged access or complex exploitation techniques. The DoS attack can be executed remotely by any user with access to the GraphQL endpoint, making it particularly dangerous in multi-tenant environments where multiple users share the same infrastructure. System administrators may observe gradual performance degradation followed by complete service unavailability as the malicious queries consume all available processing resources. This vulnerability directly maps to attack techniques described in the MITRE ATT&CK framework under T1499 which covers network denial of service attacks and T1595 which covers reconnaissance activities that identify system weaknesses.
Organizations should implement immediate mitigations including configuring maximum query depth limits within their GraphQL processing layers, establishing rate limiting controls to restrict query complexity, and implementing monitoring solutions to detect unusual query patterns. The most effective approach involves configuring depth limits at the GraphQL server level to prevent queries from exceeding predetermined nesting levels, typically ranging from 3-5 levels depending on system requirements. Additionally, implementing query complexity analysis tools and establishing baseline performance metrics will help detect anomalous behavior indicative of exploitation attempts. System administrators should also consider deploying web application firewalls with GraphQL-specific rules and regularly updating their Liferay installations to patched versions that address this vulnerability. The remediation strategy should include comprehensive testing to ensure that legitimate business queries continue to function while malicious queries are properly rejected or limited.