CVE-2025-3602

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.2 fix pack 8 through fix pack 20 Liferay Portal versions 7.3 GA through update 35 Liferay Portal versions 7.4.0 through 7.4.3.97 Liferay DXP versions 7.4 GA through update 92 Liferay DXP versions 2023.Q3.1 through 2023.Q3.2

Description The issue allows remote attackers to perform denial-of-service (DoS) attacks on the application by executing complex GraphQL queries, as the application does not limit the depth of these queries.

Recommendations For Liferay Portal versions 7.2 fix pack 8 through fix pack 20, consider disabling the GraphQL query functionality until a patch is available. For Liferay Portal versions 7.3 GA through update 35, restrict access to the GraphQL API to minimize the risk of exploitation. For Liferay Portal versions 7.4.0 through 7.4.3.97, avoid using complex GraphQL queries in the application until the issue is resolved. For Liferay DXP versions 7.4 GA through update 92, limit the depth of GraphQL queries to prevent denial-of-service attacks. For Liferay DXP versions 2023.Q3.1 through 2023.Q3.2, apply configuration changes to restrict the complexity of GraphQL queries.