8.7

CVSS Score

4.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-3526

CVE-2025-3526: Liferay Portal SessionClicks does not restrict the saving of request parameters in the HTTP session

SessionClicks in Liferay Portal 7.0.0 through 7.4.3.21, and Liferay DXP 7.4 GA through update 9, 7.3 GA through update 25, and older unsupported versions does not restrict the saving of request parameters in the HTTP session, which allows remote attackers to consume system memory leading to denial-of-service (DoS) conditions via crafted HTTP requests.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-3526

CVE-2025-3526:

8.7

CVSS Score

4.0

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.liferay.portal:com.liferay.portal.kernel	maven	< 38.0.0	38.0.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability CVE-2025-3526 in Liferay Portal allows remote attackers to cause a Denial of Service (DoS) by consuming system memory. This is due to the SessionClicks utility not adequately restricting the saving of request parameters into the HTTP session.

The analysis of the provided patches (429834b7, b40fe110e, d9108a12) reveals that modifications were made to com.liferay.portal.kernel.util.SessionClicks.java. Specifically, two overloaded put methods were identified as vulnerable. These methods are responsible for storing data in the HTTP session or session-backed portal preferences.

com.liferay.portal.kernel.util.SessionClicks.put(HttpSession httpSession, String namespace, String key, String value): Prior to the patch (evidenced by commit 429834b7), this method directly called httpSession.setAttribute(sessionKey, value) without any checks on the size of the key or value, or the total number of attributes already in the session. The patch introduced these crucial checks.
com.liferay.portal.kernel.util.SessionClicks.put(HttpServletRequest httpServletRequest, String namespace, String key, String value): Similarly, this method, which uses portalPreferences.setValue(...), lacked sufficient restrictions. The refactoring in commit d9108a12 introduced helper methods (_isValidKeyValue and _isValidSize) to enforce these limits, indicating their absence or insufficiency in the vulnerable versions.

An attacker could exploit this by sending crafted HTTP requests with numerous or very large parameters. These parameters would be processed by one of the put methods, leading to an uncontrolled increase in session data size. Over time, this would exhaust available server memory, resulting in a DoS condition. The identified functions are the entry points where this malicious input is processed and stored without proper safeguards in the vulnerable versions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.7

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-3526: Liferay Portal SessionClicks does not restrict the saving of request parameters in the HTTP session

CVE-2025-3526:

8.7

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2025-3526: Liferay Portal SessionClicks does not restrict the saving of request parameters in the HTTP session

Technical Details

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

8.7

8.7

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI