CVE-2025-3602: 
Java vulnerability analysis and mitigation

CVE-2025-3602 affects Liferay Portal and DXP systems, where the application fails to limit the depth of GraphQL queries. The vulnerability was discovered and disclosed on October 25, 2024, affecting multiple versions including Liferay Portal 7.4.0 through 7.4.3.97, Liferay DXP 2023.Q3.1 through 2023.Q3.2, DXP 7.4 GA through update 92, 7.3 GA through update 35, and 7.2 fix pack 8 through fix pack 20 (Liferay Advisory).

The vulnerability is characterized by the absence of depth limitations in GraphQL queries, which creates a security weakness in the query processing mechanism. The severity of this vulnerability has been assessed with a CVSS v4.0 score of 8.7 (HIGH), with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N. The vulnerability has been classified under CWE-400 (Uncontrolled Resource Consumption) (NVD).

The primary impact of this vulnerability is the potential for denial-of-service (DoS) attacks. Attackers can exploit this vulnerability by executing complex queries that consume excessive server resources, potentially rendering the service unavailable to legitimate users (Liferay Advisory).

Liferay has released fixes for the affected versions. The patched versions include Liferay Portal 7.4.3.98, Liferay DXP 2023.Q3.3, and Liferay DXP 7.3 U36. Users are advised to upgrade to these fixed versions to mitigate the vulnerability (Liferay Advisory).