Listen to this Post
Liferay Portal fails to restrict the depth of GraphQL queries, enabling attackers to craft excessively nested queries. This flaw allows malicious actors to overwhelm the server by sending deeply recursive queries, consuming excessive CPU and memory resources. The vulnerability stems from insufficient query complexity validation in the GraphQL API endpoint. Attackers exploit this by sending queries with nested fields, causing the server to process them recursively until resources are exhausted. This leads to a denial-of-service (DoS) condition, disrupting service availability.
DailyCVE Form
Platform: Liferay Portal
Version: 7.4.0-7.4.3.97
Vulnerability: GraphQL DoS
Severity: High
Date: Jun 16, 2025
Prediction: Patch by Jul 2025
What Undercode Say
query {
field1 {
field2 {
field3 {
... (repeated nesting)
}
}
}
}
How Exploit
- Craft deep GraphQL queries
- Send via API endpoint
- Trigger CPU/memory exhaustion
Protection from this CVE
- Update to 5.0.103
- Implement query depth limiting
- Use rate limiting
Impact
- Service disruption
- Resource exhaustion
- Unauthorized DoS
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
