CVE-2025-3526 is a high-severity vulnerability affecting multiple versions of Liferay Portal and Liferay DXP, specifically from version 7.0.0 through 7.4.3.21 and various update releases of 7.3 and 7.4 GA. The vulnerability stems from improper handling of HTTP session data, where the SessionClicks component does not restrict the saving of request parameters in the HTTP session. This flaw allows remote attackers to craft HTTP requests that cause uncontrolled resource consumption, specifically memory exhaustion, by continuously injecting data into the session storage. Since the session data is stored server-side, repeated or specially crafted requests can cause the server to consume excessive memory, leading to denial-of-service (DoS) conditions. The vulnerability requires no authentication or user interaction and can be exploited remotely over the network with low attack complexity. The CVSS 4.0 base score is 8.7, reflecting its high impact on availability without compromising confidentiality or integrity. No known exploits are currently reported in the wild, but the vulnerability is publicly disclosed and poses a significant risk to affected deployments. The root cause aligns with CWE-400 (Uncontrolled Resource Consumption), highlighting a failure to limit resource usage in session management. This issue is critical for organizations relying on Liferay Portal or DXP for web content management, intranet portals, or digital experience platforms, as it can disrupt service availability and degrade user experience.

For European organizations using Liferay Portal or DXP, this vulnerability presents a substantial risk of service disruption through denial-of-service attacks. Organizations in sectors such as government, finance, education, and large enterprises that deploy Liferay for internal or customer-facing portals could experience outages, impacting business continuity and user trust. The memory exhaustion attack can degrade server performance or cause crashes, potentially requiring manual intervention or system restarts. This could lead to operational downtime, loss of productivity, and reputational damage. Additionally, if exploited during critical business periods, the DoS could affect compliance with service-level agreements (SLAs) and regulatory requirements related to availability. Since no authentication is required, attackers can launch attacks from external networks, increasing the threat surface. The lack of known exploits currently provides a window for proactive mitigation, but the public disclosure means attackers may develop exploits soon. Organizations with high availability requirements or those operating critical infrastructure should prioritize addressing this vulnerability to avoid service interruptions.

1. Apply official patches or updates from Liferay as soon as they become available; monitor Liferay’s security advisories closely. 2. Implement web application firewalls (WAFs) with custom rules to detect and block abnormal HTTP request patterns that attempt to inject excessive parameters into sessions. 3. Configure session management settings to limit the size and number of parameters stored per session, if configurable, to prevent excessive memory use. 4. Employ rate limiting and IP reputation filtering at the network perimeter to reduce the risk of automated or volumetric attacks targeting session storage. 5. Monitor server memory usage and session store metrics actively to detect unusual spikes indicative of exploitation attempts. 6. Consider isolating Liferay Portal instances behind reverse proxies that can enforce stricter request validation and parameter size limits. 7. Conduct regular security assessments and penetration testing focusing on session management and resource consumption vectors. 8. Educate development and operations teams about the risks of uncontrolled resource consumption vulnerabilities and best practices for secure session handling.