Home > Vulnerability Database > CVE-2025-3526

Mend.io Vulnerability Database

CVE-2025-3526

Good to know:

Date: June 16, 2025

SessionClicks in Liferay Portal 7.0.0 through 7.4.3.21, and Liferay DXP 7.4 GA through update 9, 7.3 GA through update 25, and older unsupported versions does not restrict the saving of request parameters in the HTTP session, which allows remote attackers to consume system memory leading to denial-of-service (DoS) conditions via crafted HTTP requests.

Severity Score

7.5

Related Resources (7)

Url: https://github.com/liferay/liferay-portal

Url: https://github.com/liferay/liferay-portal/commit/d9108a12269e6b27689b2fd06f66fb881c8ec894

Url: https://github.com/liferay/liferay-portal/commit/b40fe110eb9d264c9c1a79ff77da317bbe6fa528

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-3526

Url: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-3526

Url: https://github.com/liferay/liferay-portal/commit/429834b7cf7c131576f196466a386bb6ce764716

Url: https://www.mend.io/vulnerability-database/CVE-2025-3526

Severity Score

7.5

Weakness Type (CWE)

Uncontrolled Resource Consumption

CWE-400

Top Fix

Upgrade Version

Upgrade to version com.liferay.portal:com.liferay.portal.kernel:38.0.0;com.liferay.portal:com.liferay.portal.kernel:38.0.0;https://github.com/liferay/liferay-portal.git - 7.4.3.14-ga14

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-3526

Good to know:

Date: June 16, 2025

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?