CVE-2025-3602: CWE-400 Uncontrolled Resource Consumption in Liferay Portal
Liferay Portal 7.4.0 through 7.4.3.97, and Liferay DXP 2023.Q3.1 through 2023.Q3.2, 7.4 GA through update 92, 7.3 GA through update 35, and 7.2 fix pack 8 through fix pack 20 does not limit the depth of a GraphQL queries, which allows remote attackers to perform denial-of-service (DoS) attacks on the application by executing complex queries.
AI Analysis
Technical Summary
CVE-2025-3602 is a high-severity vulnerability affecting multiple versions of Liferay Portal and Liferay DXP, specifically versions 7.2 fix pack 8 through fix pack 20, 7.3 GA through update 35, 7.4 GA through update 92, and 7.4.0 through 7.4.3.97, as well as 2023.Q3.1 through 2023.Q3.2 releases. The vulnerability arises from the lack of limitation on the depth of GraphQL queries processed by the portal. GraphQL is a query language for APIs that allows clients to request exactly the data they need. However, without restrictions on query complexity or depth, an attacker can craft deeply nested or complex queries that consume excessive server resources such as CPU, memory, or database connections. This uncontrolled resource consumption leads to a denial-of-service (DoS) condition, where legitimate users may experience degraded performance or complete service unavailability. The vulnerability requires no authentication or user interaction and can be exploited remotely over the network. The CVSS 4.0 base score is 8.7, reflecting high impact primarily on availability, with no impact on confidentiality or integrity. No known exploits have been reported in the wild as of the publication date, but the ease of exploitation and the critical nature of availability disruption make this a significant threat. The absence of patch links suggests that remediation may require vendor updates or configuration changes that limit query depth or complexity in GraphQL endpoints. Organizations using affected Liferay versions should prioritize mitigation to prevent potential DoS attacks that could disrupt business operations or customer-facing services.
Potential Impact
For European organizations, the impact of CVE-2025-3602 can be substantial, especially for those relying on Liferay Portal or Liferay DXP as a core component of their digital infrastructure. Liferay is widely used in sectors such as government, education, healthcare, and large enterprises for intranet portals, content management, and customer engagement platforms. A successful exploitation could lead to service outages, affecting availability of critical applications and portals. This can result in operational downtime, loss of productivity, and reputational damage. Public sector entities and service providers hosting citizen-facing portals may face increased scrutiny and regulatory consequences if service disruptions affect compliance with service-level agreements or data protection regulations like GDPR. Additionally, the DoS condition could be leveraged as a smokescreen for other malicious activities or combined with other attacks to amplify impact. The lack of authentication requirement lowers the barrier for attackers, increasing the risk of opportunistic or targeted attacks against European organizations that have not implemented adequate query complexity controls or monitoring.
Mitigation Recommendations
1. Immediate mitigation should include implementing rate limiting and throttling on GraphQL endpoints to restrict the number of queries and their complexity per client IP or session. 2. Configure or deploy GraphQL query depth limiting middleware or plugins that enforce maximum query depth and complexity thresholds to prevent excessively nested queries. 3. Monitor GraphQL query patterns and server resource utilization closely to detect anomalous spikes indicative of abuse or attack attempts. 4. Apply network-level protections such as Web Application Firewalls (WAFs) with custom rules to identify and block suspicious GraphQL queries based on complexity or size. 5. Engage with Liferay support or vendor advisories to obtain patches or updates that address this vulnerability directly once available. 6. Conduct internal audits of all Liferay Portal and DXP instances to identify affected versions and prioritize patching or configuration changes. 7. Educate development and operations teams about secure GraphQL practices and the risks of uncontrolled query execution. 8. Consider deploying caching mechanisms to reduce backend load from repeated complex queries. These steps go beyond generic advice by focusing specifically on GraphQL query management and resource protection tailored to Liferay environments.
Affected Countries
Germany, France, United Kingdom, Netherlands, Belgium, Sweden, Finland, Denmark, Italy, Spain
CVE-2025-3602: CWE-400 Uncontrolled Resource Consumption in Liferay Portal
Description
Liferay Portal 7.4.0 through 7.4.3.97, and Liferay DXP 2023.Q3.1 through 2023.Q3.2, 7.4 GA through update 92, 7.3 GA through update 35, and 7.2 fix pack 8 through fix pack 20 does not limit the depth of a GraphQL queries, which allows remote attackers to perform denial-of-service (DoS) attacks on the application by executing complex queries.
AI-Powered Analysis
Technical Analysis
CVE-2025-3602 is a high-severity vulnerability affecting multiple versions of Liferay Portal and Liferay DXP, specifically versions 7.2 fix pack 8 through fix pack 20, 7.3 GA through update 35, 7.4 GA through update 92, and 7.4.0 through 7.4.3.97, as well as 2023.Q3.1 through 2023.Q3.2 releases. The vulnerability arises from the lack of limitation on the depth of GraphQL queries processed by the portal. GraphQL is a query language for APIs that allows clients to request exactly the data they need. However, without restrictions on query complexity or depth, an attacker can craft deeply nested or complex queries that consume excessive server resources such as CPU, memory, or database connections. This uncontrolled resource consumption leads to a denial-of-service (DoS) condition, where legitimate users may experience degraded performance or complete service unavailability. The vulnerability requires no authentication or user interaction and can be exploited remotely over the network. The CVSS 4.0 base score is 8.7, reflecting high impact primarily on availability, with no impact on confidentiality or integrity. No known exploits have been reported in the wild as of the publication date, but the ease of exploitation and the critical nature of availability disruption make this a significant threat. The absence of patch links suggests that remediation may require vendor updates or configuration changes that limit query depth or complexity in GraphQL endpoints. Organizations using affected Liferay versions should prioritize mitigation to prevent potential DoS attacks that could disrupt business operations or customer-facing services.
Potential Impact
For European organizations, the impact of CVE-2025-3602 can be substantial, especially for those relying on Liferay Portal or Liferay DXP as a core component of their digital infrastructure. Liferay is widely used in sectors such as government, education, healthcare, and large enterprises for intranet portals, content management, and customer engagement platforms. A successful exploitation could lead to service outages, affecting availability of critical applications and portals. This can result in operational downtime, loss of productivity, and reputational damage. Public sector entities and service providers hosting citizen-facing portals may face increased scrutiny and regulatory consequences if service disruptions affect compliance with service-level agreements or data protection regulations like GDPR. Additionally, the DoS condition could be leveraged as a smokescreen for other malicious activities or combined with other attacks to amplify impact. The lack of authentication requirement lowers the barrier for attackers, increasing the risk of opportunistic or targeted attacks against European organizations that have not implemented adequate query complexity controls or monitoring.
Mitigation Recommendations
1. Immediate mitigation should include implementing rate limiting and throttling on GraphQL endpoints to restrict the number of queries and their complexity per client IP or session. 2. Configure or deploy GraphQL query depth limiting middleware or plugins that enforce maximum query depth and complexity thresholds to prevent excessively nested queries. 3. Monitor GraphQL query patterns and server resource utilization closely to detect anomalous spikes indicative of abuse or attack attempts. 4. Apply network-level protections such as Web Application Firewalls (WAFs) with custom rules to identify and block suspicious GraphQL queries based on complexity or size. 5. Engage with Liferay support or vendor advisories to obtain patches or updates that address this vulnerability directly once available. 6. Conduct internal audits of all Liferay Portal and DXP instances to identify affected versions and prioritize patching or configuration changes. 7. Educate development and operations teams about secure GraphQL practices and the risks of uncontrolled query execution. 8. Consider deploying caching mechanisms to reduce backend load from repeated complex queries. These steps go beyond generic advice by focusing specifically on GraphQL query management and resource protection tailored to Liferay environments.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Liferay
- Date Reserved
- 2025-04-14T18:17:40.151Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 68502479a8c921274384327b
Added to database: 6/16/2025, 2:04:41 PM
Last enriched: 6/16/2025, 2:19:51 PM
Last updated: 8/7/2025, 1:21:38 PM
Views: 26
Related Threats
CVE-2025-8751: Cross Site Scripting in Protected Total WebShield Extension
LowCVE-2025-8750: Cross Site Scripting in macrozheng mall
MediumCVE-2025-8746: Memory Corruption in GNU libopts
MediumCVE-2025-8745: Improper Export of Android Application Components in Weee RICEPO App
MediumCVE-2025-8771
LowActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.