CVE-2025-3602: Liferay Portal does not limit the depth of a GraphQL queries

June 16, 2025 (updated November 10, 2025)

Liferay Portal 7.4.0 through 7.4.3.97, and Liferay DXP 2023.Q3.1 through 2023.Q3.2, 7.4 GA through update 92, 7.3 GA through update 35, and 7.2 fix pack 8 through fix pack 20 does not limit the depth of a GraphQL queries, which allows remote attackers to perform denial-of-service (DoS) attacks on the application by executing complex queries.

References

github.com/advisories/GHSA-8c26-xm99-53w7
github.com/liferay/liferay-portal
github.com/liferay/liferay-portal/commit/6c6dad38c9c891ad58cdee9deb2e35432d7e8816
liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-3602
nvd.nist.gov/vuln/detail/CVE-2025-3602

Code Behaviors & Features

Detect and mitigate CVE-2025-3602 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →