CVE-2025-3526

Name of the Vulnerable Software and Affected Versions Liferay Portal versions 7.0.0 through 7.4.3.21 Liferay DXP versions 7.4 GA through update 9 Liferay DXP versions 7.3 GA through update 25 Liferay DXP older unsupported versions

Description The issue allows remote attackers to consume system memory, leading to denial-of-service (DoS) conditions via crafted HTTP requests, as SessionClicks in Liferay Portal and Liferay DXP does not restrict the saving of request parameters in the HTTP session.

Recommendations For Liferay Portal versions 7.0.0 through 7.4.3.21, update to a version that includes the fix for this issue. For Liferay DXP versions 7.4 GA through update 9, apply update 10 or later to resolve the issue. For Liferay DXP versions 7.3 GA through update 25, apply update 26 or later to resolve the issue. For Liferay DXP older unsupported versions, consider upgrading to a supported version to mitigate the risk of exploitation. As a temporary workaround, consider restricting the saving of request parameters in the HTTP session to minimize the risk of denial-of-service conditions.