CVE-2025-3602
Analyzed Analyzed - Analysis Complete
BaseFortify

Publication date: 2025-06-16

Last updated on: 2025-12-16

Assigner: Liferay Inc.

Description
Liferay Portal 7.4.0 through 7.4.3.97, and Liferay DXP 2023.Q3.1 through 2023.Q3.2, 7.4 GA through update 92, 7.3 GA through update 35, and 7.2 fix pack 8 through fix pack 20 does not limit the depth of a GraphQL queries, which allows remote attackers to perform denial-of-service (DoS) attacks on the application by executing complex queries.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-16
Last Modified
2025-12-16
Generated
2026-05-06
AI Q&A
2025-06-16
EPSS Evaluated
2026-05-05
NVD
CVE-2025-3602
EUVD
EUVD-2025-18398
Affected Vendors & Products
Showing 57 associated CPEs
Vendor Product Version / Range
liferay digital_experience_platform From 2023.q3.1 (inc) to 2023.q3.2 (inc)
liferay digital_experience_platform 7.2
liferay digital_experience_platform 7.2
liferay digital_experience_platform 7.2
liferay digital_experience_platform 7.2
liferay digital_experience_platform 7.2
liferay digital_experience_platform 7.2
liferay digital_experience_platform 7.2
liferay digital_experience_platform 7.2
liferay digital_experience_platform 7.2
liferay digital_experience_platform 7.2
liferay digital_experience_platform 7.2
liferay digital_experience_platform 7.2
liferay digital_experience_platform 7.2
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.3
liferay digital_experience_platform 7.4
liferay liferay_portal From 7.4.0 (inc) to 7.4.3.97 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-3602 is a vulnerability in Liferay Portal and Liferay DXP where GraphQL queries do not have a limit on their depth. This allows remote attackers to craft and execute highly complex GraphQL queries, which can cause denial-of-service (DoS) attacks against the affected applications by overwhelming them. [1]


How can this vulnerability impact me? :

This vulnerability can impact you by allowing remote attackers to perform denial-of-service (DoS) attacks on your Liferay Portal or DXP application. Such attacks can make the application unavailable or severely degrade its performance, affecting availability and potentially disrupting business operations. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for unusually complex or deeply nested GraphQL queries being executed against the Liferay Portal or DXP instances. Since the vulnerability involves unlimited query depth, detection involves analyzing GraphQL query logs or traffic for queries with excessive depth or complexity that could indicate an attempted DoS attack. Specific commands are not provided in the resources, but network traffic capture tools (e.g., tcpdump, Wireshark) combined with GraphQL query log analysis on the server could be used to identify suspicious queries. [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include upgrading affected Liferay Portal and DXP instances to the fixed versions: Liferay Portal 7.4.3.98 or later, Liferay DXP 2023.Q3.3 or later, and Liferay DXP 7.3 Update 36 or later. Until an upgrade can be performed, consider implementing network-level protections such as rate limiting or blocking suspicious GraphQL queries with excessive depth to reduce the risk of DoS attacks. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart