Skip to main content

CVE-2025-3602: CWE-400 Uncontrolled Resource Consumption in Liferay Portal

High
VulnerabilityCVE-2025-3602cvecve-2025-3602cwe-400
Published: Mon Jun 16 2025 (06/16/2025, 13:50:04 UTC)
Source: CVE Database V5
Vendor/Project: Liferay
Product: Portal

Description

Liferay Portal 7.4.0 through 7.4.3.97, and Liferay DXP 2023.Q3.1 through 2023.Q3.2, 7.4 GA through update 92, 7.3 GA through update 35, and 7.2 fix pack 8 through fix pack 20 does not limit the depth of a GraphQL queries, which allows remote attackers to perform denial-of-service (DoS) attacks on the application by executing complex queries.

AI-Powered Analysis

AILast updated: 06/16/2025, 14:19:51 UTC

Technical Analysis

CVE-2025-3602 is a high-severity vulnerability affecting multiple versions of Liferay Portal and Liferay DXP, specifically versions 7.2 fix pack 8 through fix pack 20, 7.3 GA through update 35, 7.4 GA through update 92, and 7.4.0 through 7.4.3.97, as well as 2023.Q3.1 through 2023.Q3.2 releases. The vulnerability arises from the lack of limitation on the depth of GraphQL queries processed by the portal. GraphQL is a query language for APIs that allows clients to request exactly the data they need. However, without restrictions on query complexity or depth, an attacker can craft deeply nested or complex queries that consume excessive server resources such as CPU, memory, or database connections. This uncontrolled resource consumption leads to a denial-of-service (DoS) condition, where legitimate users may experience degraded performance or complete service unavailability. The vulnerability requires no authentication or user interaction and can be exploited remotely over the network. The CVSS 4.0 base score is 8.7, reflecting high impact primarily on availability, with no impact on confidentiality or integrity. No known exploits have been reported in the wild as of the publication date, but the ease of exploitation and the critical nature of availability disruption make this a significant threat. The absence of patch links suggests that remediation may require vendor updates or configuration changes that limit query depth or complexity in GraphQL endpoints. Organizations using affected Liferay versions should prioritize mitigation to prevent potential DoS attacks that could disrupt business operations or customer-facing services.

Potential Impact

For European organizations, the impact of CVE-2025-3602 can be substantial, especially for those relying on Liferay Portal or Liferay DXP as a core component of their digital infrastructure. Liferay is widely used in sectors such as government, education, healthcare, and large enterprises for intranet portals, content management, and customer engagement platforms. A successful exploitation could lead to service outages, affecting availability of critical applications and portals. This can result in operational downtime, loss of productivity, and reputational damage. Public sector entities and service providers hosting citizen-facing portals may face increased scrutiny and regulatory consequences if service disruptions affect compliance with service-level agreements or data protection regulations like GDPR. Additionally, the DoS condition could be leveraged as a smokescreen for other malicious activities or combined with other attacks to amplify impact. The lack of authentication requirement lowers the barrier for attackers, increasing the risk of opportunistic or targeted attacks against European organizations that have not implemented adequate query complexity controls or monitoring.

Mitigation Recommendations

1. Immediate mitigation should include implementing rate limiting and throttling on GraphQL endpoints to restrict the number of queries and their complexity per client IP or session. 2. Configure or deploy GraphQL query depth limiting middleware or plugins that enforce maximum query depth and complexity thresholds to prevent excessively nested queries. 3. Monitor GraphQL query patterns and server resource utilization closely to detect anomalous spikes indicative of abuse or attack attempts. 4. Apply network-level protections such as Web Application Firewalls (WAFs) with custom rules to identify and block suspicious GraphQL queries based on complexity or size. 5. Engage with Liferay support or vendor advisories to obtain patches or updates that address this vulnerability directly once available. 6. Conduct internal audits of all Liferay Portal and DXP instances to identify affected versions and prioritize patching or configuration changes. 7. Educate development and operations teams about secure GraphQL practices and the risks of uncontrolled query execution. 8. Consider deploying caching mechanisms to reduce backend load from repeated complex queries. These steps go beyond generic advice by focusing specifically on GraphQL query management and resource protection tailored to Liferay environments.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Liferay
Date Reserved
2025-04-14T18:17:40.151Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 68502479a8c921274384327b

Added to database: 6/16/2025, 2:04:41 PM

Last enriched: 6/16/2025, 2:19:51 PM

Last updated: 8/7/2025, 1:21:38 PM

Views: 26

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats