CVE-2025-43796 Overview
CVE-2025-43796 is a denial-of-service vulnerability affecting Liferay Portal and Liferay Digital Experience Platform (DXP). The flaw stems from the absence of a result-size limit on GraphQL queries. Authenticated remote attackers can submit queries that return excessively large object sets, exhausting application resources and rendering the portal unavailable. The issue is tracked as CWE-400: Uncontrolled Resource Consumption and impacts Liferay Portal 7.4.0 through 7.4.3.101, DXP 2023.Q3.0 through 2023.Q3.4, DXP 7.4 GA through update 92, and DXP 7.3 GA through update 35.
Critical Impact
A low-privileged attacker can disrupt Liferay portal availability by issuing unbounded GraphQL queries that force the server to materialize large result sets, leading to resource exhaustion and service outage.
Affected Products
- Liferay Portal 7.4.0 through 7.4.3.101
- Liferay DXP 2023.Q3.0 through 2023.Q3.4 and 7.4 GA through update 92
- Liferay DXP 7.3 GA through update 35
Discovery Timeline
- 2025-09-12 - CVE-2025-43796 published to NVD
- 2025-12-16 - Last updated in NVD database
Technical Details for CVE-2025-43796
Vulnerability Analysis
Liferay exposes a GraphQL API (/o/graphql) that allows clients to query domain objects such as users, sites, web content, documents, and custom object entries. The vulnerable versions do not enforce an upper bound on the number of objects returned by a single query. An attacker can request a list field with a very large pageSize or omit pagination constraints, causing the backend to load, serialize, and return thousands of records in one operation.
The resulting load consumes excessive heap memory, database connections, and CPU cycles. Repeated queries from a single authenticated session can saturate the JVM, trigger long garbage-collection pauses, and starve other tenants on the same node. Because GraphQL allows multiple top-level fields and nested selections in one request, a single malformed query can amplify the impact further.
Root Cause
The root cause is missing input validation on GraphQL pagination and result-size parameters. Liferay's GraphQL resolvers accept user-supplied paging arguments without clamping them to a server-side maximum. This is a classic resource-exhaustion pattern catalogued as CWE-400, commonly observed in GraphQL APIs that lack query cost analysis or depth limiting.
Attack Vector
Exploitation requires network access to the GraphQL endpoint and a valid authenticated session (the CVSS vector indicates PR:L). After authenticating, the attacker submits a GraphQL query requesting a high-cardinality object collection with an inflated page size. Repeating the request, or pipelining several within one HTTP call, drives availability impact (VA:H). No user interaction is required, and the attack does not affect confidentiality or integrity.
No public proof-of-concept exploit is currently listed in Exploit-DB or referenced in CISA KEV. Refer to the Liferay Security Advisory CVE-2025-43796 for vendor technical details.
Detection Methods for CVE-2025-43796
Indicators of Compromise
- HTTP POST requests to /o/graphql or /o/headless-* endpoints with abnormally large pageSize values or omitted pagination arguments.
- Spikes in JVM heap usage, full GC pauses, and database connection pool exhaustion on Liferay nodes.
- Repeated GraphQL queries from a single authenticated user agent or IP returning multi-megabyte JSON responses.
Detection Strategies
- Inspect application access logs for GraphQL queries containing pageSize parameters above a defined safe threshold (for example, greater than 100).
- Correlate GraphQL request volume against backend response time and memory metrics to flag query-driven resource spikes.
- Deploy a web application firewall (WAF) rule or reverse-proxy filter that parses GraphQL bodies and rejects unbounded list queries.
Monitoring Recommendations
- Alert on sustained high response sizes or response times from the GraphQL endpoint relative to historical baselines.
- Monitor authenticated session activity for anomalous query patterns originating from low-privilege accounts.
- Track JVM garbage-collection frequency, heap utilization, and tomcat thread saturation on Liferay nodes to detect early DoS conditions.
How to Mitigate CVE-2025-43796
Immediate Actions Required
- Upgrade to a fixed Liferay Portal or DXP release as documented in the Liferay Security Advisory CVE-2025-43796.
- Restrict GraphQL endpoint exposure to trusted networks and require authenticated, least-privilege accounts.
- Apply rate limiting and request-size limits at the reverse proxy or API gateway in front of Liferay.
Patch Information
Liferay has issued fixes for the affected branches. Administrators should consult the Liferay Security Advisory CVE-2025-43796 for the exact update or service pack versions applicable to Liferay Portal 7.4.x, DXP 2023.Q3, DXP 7.4, and DXP 7.3 deployments. Apply the relevant update and restart the portal nodes.
Workarounds
- Configure a WAF rule to reject GraphQL queries whose pageSize or equivalent argument exceeds an organizational maximum.
- Disable or firewall the /o/graphql endpoint for user populations that do not require it.
- Implement per-account request rate limits and JVM resource quotas to contain the impact of abusive queries until patches are deployed.
# Example NGINX rate-limit snippet for the Liferay GraphQL endpoint
http {
limit_req_zone $binary_remote_addr zone=graphql_zone:10m rate=10r/m;
server {
location /o/graphql {
limit_req zone=graphql_zone burst=5 nodelay;
client_max_body_size 16k;
proxy_pass http://liferay_upstream;
}
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
