CVE-2025-43796

HIGH

Liferay Portal 7.4.0-7.4.3.101 and DXP 2023.Q3.0-2023.Q3.4 - Uncontrolled Resource Consumption via GraphQL Queries

Title source: llm

Description

Liferay Portal 7.4.0 through 7.4.3.101, and Liferay DXP 2023.Q3.0 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA though update 35 does not limit the number of objects returned from a GraphQL queries, which allows remote attackers to perform denial-of-service (DoS) attacks on the application by executing queries that return a large number of objects.

References (1)

Core 1

Core References

Vendor Advisory

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-43796

Scores

CVSS v3 7.5

EPSS 0.0019

EPSS Percentile 40.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-400

Status published

Products (4)

com.liferay/com.liferay.portal.vulcan.api 8.0.2 - 40.2.0Maven

com.liferay/com.liferay.portal.vulcan.impl 5.0.7 - 5.0.105Maven

liferay/digital_experience_platform 7.3 (41 CPE variants)

liferay/digital_experience_platform 7.4 (7 CPE variants)

Published Sep 12, 2025

Tracked Since Feb 18, 2026