CVE-2025-3602 Overview
A denial-of-service vulnerability exists in Liferay Portal and Liferay Digital Experience Platform (DXP) due to insufficient depth limiting on GraphQL queries. The application fails to restrict the depth of GraphQL queries, allowing remote attackers to craft complex, deeply nested queries that consume excessive server resources. This resource exhaustion vulnerability (CWE-400) enables unauthenticated attackers to degrade or completely disrupt service availability through carefully constructed GraphQL requests.
Critical Impact
Remote unauthenticated attackers can cause complete denial of service by submitting deeply nested GraphQL queries, potentially disrupting critical enterprise portal and content management operations.
Affected Products
- Liferay Portal 7.4.0 through 7.4.3.97
- Liferay DXP 2023.Q3.1 through 2023.Q3.2
- Liferay DXP 7.4 GA through update 92
- Liferay DXP 7.3 GA through update 35
- Liferay DXP 7.2 fix pack 8 through fix pack 20
Discovery Timeline
- June 16, 2025 - CVE-2025-3602 published to NVD
- December 16, 2025 - Last updated in NVD database
Technical Details for CVE-2025-3602
Vulnerability Analysis
This vulnerability stems from missing query depth validation in Liferay's GraphQL implementation. GraphQL APIs, by design, allow clients to specify exactly what data they need through nested queries. However, without proper depth limiting controls, attackers can exploit this flexibility to construct malicious queries with extreme nesting levels.
When a deeply nested GraphQL query is submitted, the server must recursively resolve each level of the query, consuming CPU cycles and memory with each additional depth level. The exponential nature of nested query resolution means that a relatively simple-looking query with sufficient depth can generate an enormous computational load on the server.
The attack does not require any authentication, making it particularly dangerous as any network-accessible instance of the affected Liferay products can be targeted. The vulnerability affects the availability of the system while confidentiality and integrity remain intact.
Root Cause
The root cause is the absence of GraphQL query depth limiting controls in the affected Liferay versions. The GraphQL query parser and execution engine process incoming queries without validating the nesting depth against a configured maximum threshold. This allows arbitrarily deep queries to be processed, leading to resource exhaustion.
Attack Vector
The attack can be executed remotely over the network without requiring authentication. An attacker identifies a Liferay instance with an exposed GraphQL endpoint, then crafts a malicious query with deeply nested fields and relationships. When this query is submitted to the GraphQL endpoint, the server attempts to resolve all nested levels, consuming server resources and potentially causing the application to become unresponsive or crash.
The attack exploits the inherent nature of GraphQL's nested query resolution. Each level of nesting multiplies the resolver workload, and without depth limits, attackers can easily craft queries that overwhelm server resources. This is a well-known attack pattern against GraphQL implementations that lack proper query complexity controls.
Detection Methods for CVE-2025-3602
Indicators of Compromise
- Unusually large or deeply nested GraphQL queries in web server access logs
- Sudden spikes in CPU utilization on Liferay application servers coinciding with GraphQL endpoint requests
- Memory exhaustion alerts or out-of-memory errors in application logs
- Multiple timeout errors on the GraphQL endpoint
Detection Strategies
- Implement logging and monitoring of GraphQL query complexity and depth metrics
- Configure web application firewall (WAF) rules to detect and block abnormally large GraphQL request payloads
- Set up anomaly detection for GraphQL endpoint request patterns and response times
- Monitor for repeated failed or timed-out GraphQL requests from single source IPs
Monitoring Recommendations
- Enable detailed access logging for the /o/graphql endpoint and related GraphQL routes
- Configure alerting thresholds for GraphQL endpoint response latency degradation
- Implement rate limiting monitoring on GraphQL endpoints to identify potential abuse patterns
- Monitor application server resource utilization metrics in correlation with GraphQL traffic
How to Mitigate CVE-2025-3602
Immediate Actions Required
- Upgrade to a patched version of Liferay Portal or Liferay DXP as specified in the vendor advisory
- If immediate patching is not possible, consider temporarily disabling or restricting access to the GraphQL endpoint
- Implement network-level controls to limit access to the GraphQL endpoint to trusted clients only
- Enable rate limiting on the GraphQL endpoint to slow potential exploitation attempts
Patch Information
Liferay has released security updates to address this vulnerability. Organizations should upgrade to the latest available versions of Liferay Portal and Liferay DXP that include query depth limiting controls. Consult the Liferay Security Advisory for specific version information and upgrade guidance.
Workarounds
- Implement a reverse proxy or API gateway with GraphQL query depth validation capabilities in front of the Liferay instance
- Configure web application firewall rules to reject GraphQL queries exceeding a reasonable size threshold
- Restrict network access to the GraphQL endpoint using firewall rules or security groups
- Consider disabling GraphQL functionality entirely if not required for business operations until patching is complete
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
