Volerion logoVolerion
Volerion logoVolerion

Liferay Portal and Liferay DXP Denial-of-Service Vulnerability via Unrestricted Headless API Response Size

Vulnerability

A denial-of-service vulnerability has been identified in Liferay Portal versions 7.4.0 to 7.4.3.99, as well as in Liferay DXP versions 2023.Q3.1 to 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions. The issue arises because these versions do not limit the number of objects returned in Headless API responses. This lack of restriction enables remote attackers to execute requests that generate large volumes of data, potentially overwhelming the application and causing service disruptions.

Impact

Exploitation of this vulnerability can lead to a denial-of-service condition, where the application becomes unresponsive or significantly degraded in performance due to the excessive load from the unregulated API response.

Remediation

Users can upgrade to Liferay Portal 7.4.3.100 or Liferay DXP versions 2024.Q1.1, 2023.Q4.0, 2023.Q3.5, or 7.3 U36 to address this vulnerability.

Added: Oct 27, 2025, 10:20 PM
Updated: Oct 27, 2025, 10:20 PM

Vulnerability Rating

Custom Algorithm
spread
3.1
impact
2.5
exploitability
5.2
remediation
7.7
relevance
0.8
threat
0.0
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.