EUVD-2025-18398
GHSA-8c26-xm99-53w7
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4Description
Liferay Portal 7.4.0 through 7.4.3.97, and Liferay DXP 2023.Q3.1 through 2023.Q3.2, 7.4 GA through update 92, 7.3 GA through update 35, and 7.2 fix pack 8 through fix pack 20 does not limit the depth of a GraphQL queries, which allows remote attackers to perform denial-of-service (DoS) attacks on the application by executing complex queries.
Analysis
Liferay Portal and DXP versions fail to implement depth limiting on GraphQL queries, enabling unauthenticated remote attackers to execute deeply nested queries that consume excessive server resources and cause denial-of-service. This affects Liferay Portal 7.4.0-7.4.3.97 and multiple DXP versions (2023.Q3.1-2023.Q3.2, 7.4 GA-Update 92, 7.3 GA-Update 35, 7.2 FP 8-20). With a CVSS 7.5 score, high network exploitability, and no authentication required, this represents a significant availability risk to exposed Liferay installations.
Technical Context
GraphQL is a query language that allows clients to request nested data structures. Without query depth limits (CWE-400: Uncontrolled Resource Consumption), attackers can craft pathological queries with extreme nesting depth (e.g., recursive field selections 100+ levels deep) that force the GraphQL parser and resolver to consume exponential CPU, memory, and I/O resources. Liferay's GraphQL endpoint exposes this flaw because the implementation lacks query complexity analysis, depth validation, or resource throttling—standard GraphQL security practices (as documented by OWASP and GraphQL best practices guides). The vulnerability exists in Liferay Portal's GraphQL API layer (likely liferay-portal artifact). CWE-400 (Uncontrolled Resource Consumption via Algorithmic Complexity) is the root cause class; the GraphQL engine fails to validate or constrain query complexity before execution.
Affected Products
Liferay Portal: versions 7.4.0 through 7.4.3.97 (CPE: cpe:2.3:a:liferay:liferay_portal:7.4.0:*:*:*:*:*:*:*). Liferay DXP: 2023.Q3.1, 2023.Q3.2; 7.4 GA through Update 92; 7.3 GA through Update 35; 7.2 Fix Pack 8 through Fix Pack 20 (CPE pattern: cpe:2.3:a:liferay:liferay_dxp:*:*:*:*:*:*:*:*). All instances with GraphQL API enabled and accessible (typically port 8080 or custom HTTPS ports). Vendor advisory: Liferay Security Bulletin (reference to liferay.com security advisories expected; specific URL not provided in prompt but follow Liferay's official CVE disclosure pages).
Remediation
Immediate: (1) Upgrade Liferay Portal to version 7.4.3.98 or later. (2) Upgrade Liferay DXP to patched versions: 2023.Q3.3+, 7.4 Update 93+, 7.3 Update 36+, 7.2 Fix Pack 21+. (3) Verify patches via Liferay's official security advisory and release notes. Workarounds (short-term, pre-patch): (1) Disable or restrict access to the GraphQL endpoint (/o/graphql) via WAF/load balancer rules if not essential. (2) Implement rate limiting on GraphQL requests by IP/session. (3) Configure query complexity analysis at the application layer (custom GraphQL servlet filter) to reject queries exceeding a depth threshold (e.g., max depth ≤ 15). (4) Monitor resource usage (CPU, memory) on Liferay instances for anomalous spikes. Consult Liferay's official security advisory for validated patch links and deployment guidance.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today