CVE-2025-3602

Published: Jun 16, 2025Modified: Dec 16, 2025

8.7

Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: security@liferay.com (Secondary)

Description

Liferay Portal 7.4.0 through 7.4.3.97, and Liferay DXP 2023.Q3.1 through 2023.Q3.2, 7.4 GA through update 92, 7.3 GA through update 35, and 7.2 fix pack 8 through fix pack 20 does not limit the depth of a GraphQL queries, which allows remote attackers to perform denial-of-service (DoS) attacks on the application by executing complex queries.

Affected (57)

Products: Liferay: Digital Experience Platform, Liferay Portal

Liferay

2 products

Digital Experience Platform

Liferay Portal

Configuration A

57 vulnerable

Vulnerable Software	Affected Versions
Liferay Digital Experience Platform	From 2023.q3.1 to 2023.q3.2
Liferay Digital Experience Platform	Version 7.2 fix_pack_10
Liferay Digital Experience Platform	Version 7.2 fix_pack_11
Liferay Digital Experience Platform	Version 7.2 fix_pack_12
Liferay Digital Experience Platform	Version 7.2 fix_pack_13
Liferay Digital Experience Platform	Version 7.2 fix_pack_14
Liferay Digital Experience Platform	Version 7.2 fix_pack_15
Liferay Digital Experience Platform	Version 7.2 fix_pack_16
Liferay Digital Experience Platform	Version 7.2 fix_pack_17
Liferay Digital Experience Platform	Version 7.2 fix_pack_18
Liferay Digital Experience Platform	Version 7.2 fix_pack_19
Liferay Digital Experience Platform	Version 7.2 fix_pack_20
Liferay Digital Experience Platform	Version 7.2 fix_pack_8
Liferay Digital Experience Platform	Version 7.2 fix_pack_9
Liferay Digital Experience Platform	Version 7.3
Liferay Digital Experience Platform	Version 7.3 fix_pack_1
Liferay Digital Experience Platform	Version 7.3 fix_pack_2
Liferay Digital Experience Platform	Version 7.3 service_pack_1
Liferay Digital Experience Platform	Version 7.3 service_pack_2
Liferay Digital Experience Platform	Version 7.3 service_pack_3
Liferay Digital Experience Platform	Version 7.3 update10
Liferay Digital Experience Platform	Version 7.3 update11
Liferay Digital Experience Platform	Version 7.3 update12
Liferay Digital Experience Platform	Version 7.3 update13
Liferay Digital Experience Platform	Version 7.3 update14
Liferay Digital Experience Platform	Version 7.3 update15
Liferay Digital Experience Platform	Version 7.3 update16
Liferay Digital Experience Platform	Version 7.3 update17
Liferay Digital Experience Platform	Version 7.3 update18
Liferay Digital Experience Platform	Version 7.3 update19
Liferay Digital Experience Platform	Version 7.3 update1
Liferay Digital Experience Platform	Version 7.3 update20
Liferay Digital Experience Platform	Version 7.3 update21
Liferay Digital Experience Platform	Version 7.3 update22
Liferay Digital Experience Platform	Version 7.3 update23
Liferay Digital Experience Platform	Version 7.3 update24
Liferay Digital Experience Platform	Version 7.3 update25
Liferay Digital Experience Platform	Version 7.3 update26
Liferay Digital Experience Platform	Version 7.3 update27
Liferay Digital Experience Platform	Version 7.3 update28
Liferay Digital Experience Platform	Version 7.3 update29
Liferay Digital Experience Platform	Version 7.3 update2
Liferay Digital Experience Platform	Version 7.3 update30
Liferay Digital Experience Platform	Version 7.3 update31
Liferay Digital Experience Platform	Version 7.3 update32
Liferay Digital Experience Platform	Version 7.3 update33
Liferay Digital Experience Platform	Version 7.3 update34
Liferay Digital Experience Platform	Version 7.3 update35
Liferay Digital Experience Platform	Version 7.3 update3
Liferay Digital Experience Platform	Version 7.3 update4
Liferay Digital Experience Platform	Version 7.3 update5
Liferay Digital Experience Platform	Version 7.3 update6
Liferay Digital Experience Platform	Version 7.3 update7
Liferay Digital Experience Platform	Version 7.3 update8
Liferay Digital Experience Platform	Version 7.3 update9
Liferay Digital Experience Platform	Version 7.4
Liferay Liferay Portal	From 7.4.0 to 7.4.3.97

Related CWEs

CWE-400

Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

References (1)

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-3602

Source: security@liferay.com

Vendor Advisory

Timeline

No history available yet.