CVE-2025-3526 — Uncontrolled Resource Consumption in DXP

CWE-400 — Uncontrolled Resource Consumption4 documents4 sources

Severity

8.7HIGHNVD

EPSS

0.4%

top 41.66%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Liferay DXP Liferay Portal Liferay Digital Experience Platform +1 more

Timeline

PublishedJun 16

Description

SessionClicks in Liferay Portal 7.0.0 through 7.4.3.21, and Liferay DXP 7.4 GA through update 9, 7.3 GA through update 25, and older unsupported versions does not restrict the saving of request parameters in the HTTP session, which allows remote attackers to consume system memory leading to denial-of-service (DoS) conditions via crafted HTTP requests.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Packages4 packages

▶CVEListV5liferay/portal7.0.0 — 7.4.3.21

▶NVDliferay/liferay_portal7.0.0 — 7.4.3.21+1

▶CVEListV5liferay/dxp6.2.0 — portal-173+5

▶NVDliferay/digital_experience_platform7.0 — 7.2+2

🔴Vulnerability Details

CVEList

CVE-2025-3526: SessionClicks in Liferay Portal 7↗2025-06-16

▶

OSV

Liferay Portal SessionClicks does not restrict the saving of request parameters in the HTTP session↗2025-06-16

▶

GHSA

Liferay Portal SessionClicks does not restrict the saving of request parameters in the HTTP session↗2025-06-16

▶