CVE-2025-3602

EUVD-2025-18398
Liferay Portal 7.4.0 through 7.4.3.97, and Liferay DXP 2023.Q3.1 through 2023.Q3.2, 7.4 GA through update 92, 7.3 GA through update 35, and 7.2 fix pack 8 through fix pack 20 does not limit the depth of a GraphQL queries, which allows remote attackers to perform denial-of-service (DoS) attacks on the application by executing complex queries.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 32%
Affected Products (NVD)
VendorProductVersion
liferaydigital_experience_platform
2023.q3.1 ≤
𝑥
≤ 2023.q3.2
liferaydigital_experience_platform
7.2:fix_pack_10
liferaydigital_experience_platform
7.2:fix_pack_11
liferaydigital_experience_platform
7.2:fix_pack_12
liferaydigital_experience_platform
7.2:fix_pack_13
liferaydigital_experience_platform
7.2:fix_pack_14
liferaydigital_experience_platform
7.2:fix_pack_15
liferaydigital_experience_platform
7.2:fix_pack_16
liferaydigital_experience_platform
7.2:fix_pack_17
liferaydigital_experience_platform
7.2:fix_pack_18
liferaydigital_experience_platform
7.2:fix_pack_19
liferaydigital_experience_platform
7.2:fix_pack_20
liferaydigital_experience_platform
7.2:fix_pack_8
liferaydigital_experience_platform
7.2:fix_pack_9
liferaydigital_experience_platform
7.3
liferaydigital_experience_platform
7.3:fix_pack_1
liferaydigital_experience_platform
7.3:fix_pack_2
liferaydigital_experience_platform
7.3:service_pack_1
liferaydigital_experience_platform
7.3:service_pack_2
liferaydigital_experience_platform
7.3:service_pack_3
liferaydigital_experience_platform
7.3:update1
liferaydigital_experience_platform
7.3:update10
liferaydigital_experience_platform
7.3:update11
liferaydigital_experience_platform
7.3:update12
liferaydigital_experience_platform
7.3:update13
liferaydigital_experience_platform
7.3:update14
liferaydigital_experience_platform
7.3:update15
liferaydigital_experience_platform
7.3:update16
liferaydigital_experience_platform
7.3:update17
liferaydigital_experience_platform
7.3:update18
liferaydigital_experience_platform
7.3:update19
liferaydigital_experience_platform
7.3:update2
liferaydigital_experience_platform
7.3:update20
liferaydigital_experience_platform
7.3:update21
liferaydigital_experience_platform
7.3:update22
liferaydigital_experience_platform
7.3:update23
liferaydigital_experience_platform
7.3:update24
liferaydigital_experience_platform
7.3:update25
liferaydigital_experience_platform
7.3:update26
liferaydigital_experience_platform
7.3:update27
liferaydigital_experience_platform
7.3:update28
liferaydigital_experience_platform
7.3:update29
liferaydigital_experience_platform
7.3:update3
liferaydigital_experience_platform
7.3:update30
liferaydigital_experience_platform
7.3:update31
liferaydigital_experience_platform
7.3:update32
liferaydigital_experience_platform
7.3:update33
liferaydigital_experience_platform
7.3:update34
liferaydigital_experience_platform
7.3:update35
liferaydigital_experience_platform
7.3:update4
liferaydigital_experience_platform
7.3:update5
liferaydigital_experience_platform
7.3:update6
liferaydigital_experience_platform
7.3:update7
liferaydigital_experience_platform
7.3:update8
liferaydigital_experience_platform
7.3:update9
liferaydigital_experience_platform
7.4
liferayliferay_portal
7.4.0 ≤
𝑥
≤ 7.4.3.97
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-3602