Primary

Context

Liferay Portal and Liferay DXP GraphQL Denial-of-Service Vulnerability

Vulnerability

Patched

A denial-of-service vulnerability has been identified in Liferay Portal versions 7.4.0 to 7.4.3.101, as well as in Liferay DXP versions 2023.Q3.0 to 2023.Q3.4, 7.4 GA through update 92, and 7.3 GA through update 35. The issue arises because these versions do not limit the number of objects returned by GraphQL queries. This lack of restriction allows remote attackers to execute queries that retrieve large volumes of data, potentially overwhelming the application and causing service disruptions.

Impact

Exploitation of this vulnerability can lead to a denial-of-service condition, where the application becomes unresponsive or significantly degraded in performance due to the excessive data processing.

Remediation

Users can upgrade to Liferay Portal 7.4.3.102 or Liferay DXP versions 2023.Q4.0, 2023.Q3.5, or 7.3 U36 to address this vulnerability.

Added: Sep 12, 2025, 8:17 PM

Updated: Sep 12, 2025, 8:17 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

5.2

remediation

7.7

relevance

0.5

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

5.2

remediation

7.7

relevance

0.5

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Liferay Portal and Liferay DXP GraphQL Denial-of-Service Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Liferay Portal

Liferay DXP

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating