CVE-2025-3602 GraphQL queries does not limit depth

Description

Liferay Portal and Liferay DXP does not limit the depth of a GraphQL queries, which allows remote attackers to perform denial-of-service (DoS) attacks on the application by executing complex queries.

Severity

8.7 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N)

Affected Version(s)

Liferay Portal 7.4.0 through 7.4.3.97
Liferay DXP 2023.Q3.1 through 2023.Q3.2
Liferay DXP 7.4
Liferay DXP 7.3 GA through Update 35
Liferay DXP 7.2 FP8 through FP20

Fixed Version(s)

Liferay Portal 7.4.3.98
Liferay DXP 2023.Q3.3
Liferay DXP 7.3 U36

Publication date: Fri, 25 Oct 2024 10:56:00 +0000

Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.

Known Vulnerabilities

Releases

Description

Severity

Affected Version(s)

Fixed Version(s)