CVE-2025-3526

HIGH

Liferay DXP 7.0.0-7.4.3.21 & DXP 7.4 GA-Update 9, 7.3 GA-Update 25 - DoS via SessionClicks Parameter

Title source: llm

Description

SessionClicks in Liferay Portal 7.0.0 through 7.4.3.21, and Liferay DXP 7.4 GA through update 9, 7.3 GA through update 25, and older unsupported versions does not restrict the saving of request parameters in the HTTP session, which allows remote attackers to consume system memory leading to denial-of-service (DoS) conditions via crafted HTTP requests.

References (1)

Core 1

Core References

Vendor Advisory

https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-3526

Scores

CVSS v3 7.5

EPSS 0.0036

EPSS Percentile 58.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-400

Status published

Products (6)

com.liferay.portal/com.liferay.portal.kernel 0 - 38.0.0Maven

liferay/digital_experience_platform 7.3 (26 CPE variants)

liferay/digital_experience_platform 7.4 (10 CPE variants)

liferay/digital_experience_platform 7.0 - 7.2

liferay/liferay_portal 6.2

liferay/liferay_portal 7.0.0 - 7.4.3.21

Published Jun 16, 2025

Tracked Since Feb 18, 2026