Skip to main content
CVE Vulnerability Database

CVE-2025-3602: Liferay DXP GraphQL DoS Vulnerability

CVE-2025-3602 is a denial-of-service flaw in Liferay Digital Experience Platform caused by unlimited GraphQL query depth. Attackers can exploit this to crash the application using complex queries.

Published:

CVE-2025-3602 Overview

A denial-of-service vulnerability exists in Liferay Portal and Liferay Digital Experience Platform (DXP) due to insufficient depth limiting on GraphQL queries. The application fails to restrict the depth of GraphQL queries, allowing remote attackers to craft complex, deeply nested queries that consume excessive server resources. This resource exhaustion vulnerability (CWE-400) enables unauthenticated attackers to degrade or completely disrupt service availability through carefully constructed GraphQL requests.

Critical Impact

Remote unauthenticated attackers can cause complete denial of service by submitting deeply nested GraphQL queries, potentially disrupting critical enterprise portal and content management operations.

Affected Products

  • Liferay Portal 7.4.0 through 7.4.3.97
  • Liferay DXP 2023.Q3.1 through 2023.Q3.2
  • Liferay DXP 7.4 GA through update 92
  • Liferay DXP 7.3 GA through update 35
  • Liferay DXP 7.2 fix pack 8 through fix pack 20

Discovery Timeline

  • June 16, 2025 - CVE-2025-3602 published to NVD
  • December 16, 2025 - Last updated in NVD database

Technical Details for CVE-2025-3602

Vulnerability Analysis

This vulnerability stems from missing query depth validation in Liferay's GraphQL implementation. GraphQL APIs, by design, allow clients to specify exactly what data they need through nested queries. However, without proper depth limiting controls, attackers can exploit this flexibility to construct malicious queries with extreme nesting levels.

When a deeply nested GraphQL query is submitted, the server must recursively resolve each level of the query, consuming CPU cycles and memory with each additional depth level. The exponential nature of nested query resolution means that a relatively simple-looking query with sufficient depth can generate an enormous computational load on the server.

The attack does not require any authentication, making it particularly dangerous as any network-accessible instance of the affected Liferay products can be targeted. The vulnerability affects the availability of the system while confidentiality and integrity remain intact.

Root Cause

The root cause is the absence of GraphQL query depth limiting controls in the affected Liferay versions. The GraphQL query parser and execution engine process incoming queries without validating the nesting depth against a configured maximum threshold. This allows arbitrarily deep queries to be processed, leading to resource exhaustion.

Attack Vector

The attack can be executed remotely over the network without requiring authentication. An attacker identifies a Liferay instance with an exposed GraphQL endpoint, then crafts a malicious query with deeply nested fields and relationships. When this query is submitted to the GraphQL endpoint, the server attempts to resolve all nested levels, consuming server resources and potentially causing the application to become unresponsive or crash.

The attack exploits the inherent nature of GraphQL's nested query resolution. Each level of nesting multiplies the resolver workload, and without depth limits, attackers can easily craft queries that overwhelm server resources. This is a well-known attack pattern against GraphQL implementations that lack proper query complexity controls.

Detection Methods for CVE-2025-3602

Indicators of Compromise

  • Unusually large or deeply nested GraphQL queries in web server access logs
  • Sudden spikes in CPU utilization on Liferay application servers coinciding with GraphQL endpoint requests
  • Memory exhaustion alerts or out-of-memory errors in application logs
  • Multiple timeout errors on the GraphQL endpoint

Detection Strategies

  • Implement logging and monitoring of GraphQL query complexity and depth metrics
  • Configure web application firewall (WAF) rules to detect and block abnormally large GraphQL request payloads
  • Set up anomaly detection for GraphQL endpoint request patterns and response times
  • Monitor for repeated failed or timed-out GraphQL requests from single source IPs

Monitoring Recommendations

  • Enable detailed access logging for the /o/graphql endpoint and related GraphQL routes
  • Configure alerting thresholds for GraphQL endpoint response latency degradation
  • Implement rate limiting monitoring on GraphQL endpoints to identify potential abuse patterns
  • Monitor application server resource utilization metrics in correlation with GraphQL traffic

How to Mitigate CVE-2025-3602

Immediate Actions Required

  • Upgrade to a patched version of Liferay Portal or Liferay DXP as specified in the vendor advisory
  • If immediate patching is not possible, consider temporarily disabling or restricting access to the GraphQL endpoint
  • Implement network-level controls to limit access to the GraphQL endpoint to trusted clients only
  • Enable rate limiting on the GraphQL endpoint to slow potential exploitation attempts

Patch Information

Liferay has released security updates to address this vulnerability. Organizations should upgrade to the latest available versions of Liferay Portal and Liferay DXP that include query depth limiting controls. Consult the Liferay Security Advisory for specific version information and upgrade guidance.

Workarounds

  • Implement a reverse proxy or API gateway with GraphQL query depth validation capabilities in front of the Liferay instance
  • Configure web application firewall rules to reject GraphQL queries exceeding a reasonable size threshold
  • Restrict network access to the GraphQL endpoint using firewall rules or security groups
  • Consider disabling GraphQL functionality entirely if not required for business operations until patching is complete

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.