CVE-2025-3526

SessionClicks in Liferay Portal 7.0.0 through 7.4.3.21, and Liferay DXP 7.4 GA through update 9, 7.3 GA through update 25, and older unsupported versions does not restrict the saving of request parameters in the HTTP session, which allows remote attackers to consume system memory leading to denial-of-service (DoS) conditions via crafted HTTP requests.

Published: Jun 16, 2025
Updated: Aug 11, 2025
CVE: CVE-2025-3526
GHSA: GHSA-mf3r-6m25-3867
Severity: High
Exploit:

No technical information available.

CWEs:

CWE-400

Affected Software
References

Software	From	Fixed in
com.liferay.portal / com.liferay.portal.kernel	-	38.0.0

https://github.com/liferay/liferay-portal/commit/429834b7cf7c131576f196466a386bb6ce764716
https://github.com/liferay/liferay-portal/commit/b40fe110eb9d264c9c1a79ff77da317bbe6fa528
https://github.com/liferay/liferay-portal/commit/d9108a12269e6b27689b2fd06f66fb881c8ec894
https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-3526

Vulnerability Database

CVE-2025-3526