CVE-2025-3526: Liferay Portal SessionClicks does not restrict the saving of request parameters in the HTTP session
SessionClicks in Liferay Portal 7.0.0 through 7.4.3.21, and Liferay DXP 7.4 GA through update 9, 7.3 GA through update 25, and older unsupported versions does not restrict the saving of request parameters in the HTTP session, which allows remote attackers to consume system memory leading to denial-of-service (DoS) conditions via crafted HTTP requests.
References
- github.com/advisories/GHSA-mf3r-6m25-3867
- github.com/liferay/liferay-portal
- github.com/liferay/liferay-portal/commit/429834b7cf7c131576f196466a386bb6ce764716
- github.com/liferay/liferay-portal/commit/b40fe110eb9d264c9c1a79ff77da317bbe6fa528
- github.com/liferay/liferay-portal/commit/d9108a12269e6b27689b2fd06f66fb881c8ec894
- liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-3526
- nvd.nist.gov/vuln/detail/CVE-2025-3526
Code Behaviors & Features
Detect and mitigate CVE-2025-3526 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →