Fluid Attacks Database

Description

Liferay Portal SessionClicks does not restrict the saving of request parameters in the HTTP session SessionClicks in Liferay Portal 7.0.0 through 7.4.3.21, and Liferay DXP 7.4 GA through update 9, 7.3 GA through update 25, and older unsupported versions does not restrict the saving of request parameters in the HTTP session, which allows remote attackers to consume system memory leading to denial-of-service (DoS) conditions via crafted HTTP requests.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	com.liferay.portal:com.liferay.portal.kernel	>=0 <38.0.0	38.0.0

Aliases

1. CVE-2025-35262. NVD-2025-35263. OSV-2025-35264. GCVE-2025-3526

References

1. https://github.com/liferay/liferay-portal/commit/429834b7cf7c131576f196466a386bb6ce7647162. https://github.com/liferay/liferay-portal/commit/b40fe110eb9d264c9c1a79ff77da317bbe6fa5283. https://github.com/liferay/liferay-portal/commit/d9108a12269e6b27689b2fd06f66fb881c8ec8944. https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-3526

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.