CVE-2025-3602
📋 TL;DR
This vulnerability allows remote attackers to perform denial-of-service attacks on Liferay Portal/DXP by sending complex GraphQL queries that overwhelm system resources. Affected systems include Liferay Portal 7.4.0-7.4.3.97 and multiple Liferay DXP versions from 7.2 through 2023.Q3.2.
💻 Affected Systems
- Liferay Portal
- Liferay DXP
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete application unavailability due to resource exhaustion, affecting all users and potentially disrupting business operations.
Likely Case
Performance degradation or temporary service interruptions during attack periods.
If Mitigated
Minimal impact with query depth limits and rate limiting in place.
🎯 Exploit Status
Attack requires only sending specially crafted GraphQL queries; no authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Liferay Portal 7.4.3.98+, Liferay DXP 2023.Q3.3+, 7.4 update 93+, 7.3 update 36+, 7.2 fix pack 21+
Vendor Advisory: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-3602
Restart Required: Yes
Instructions:
1. Download appropriate patch from Liferay Customer Portal. 2. Apply patch following Liferay patching procedures. 3. Restart application server.
🔧 Temporary Workarounds
Implement GraphQL query depth limiting
allConfigure GraphQL server to limit query depth to prevent deep nested queries
Configure in application properties: graphql.servlet.maxQueryDepth=10
Implement rate limiting
allAdd rate limiting to GraphQL endpoints to prevent abuse
Configure web server or application firewall to limit requests per IP
🧯 If You Can't Patch
- Disable GraphQL endpoints if not required
- Implement WAF rules to block complex GraphQL queries
🔍 How to Verify
Check if Vulnerable:
Check Liferay version against affected ranges; test with deep nested GraphQL query to see if server becomes unresponsiveCheck Version:
Check Liferay Control Panel → Configuration → Server Administration → System InformationVerify Fix Applied:
Verify version is patched; test with deep nested GraphQL query to confirm proper error response📡 Detection & Monitoring
Log Indicators:
- Unusually large GraphQL query execution times
- High CPU/memory usage spikes
- GraphQL query depth warnings
Network Indicators:
- Multiple complex GraphQL queries from single source
- Large GraphQL request payloads
SIEM Query:
source="liferay" AND ("GraphQL" OR "query") AND (duration>5000 OR "timeout")