CVE-2025-3526: 
Java vulnerability analysis and mitigation

SessionClicks in Liferay Portal versions 7.0.0 through 7.4.3.21, and Liferay DXP versions 7.4 GA through update 9, 7.3 GA through update 25, and older unsupported versions contains a vulnerability that was disclosed on June 16, 2025. The vulnerability stems from unrestricted saving of request parameters in HTTP sessions (NVD, Liferay Security).

The vulnerability is classified with a CVSS v4.0 Base Score of 8.7 HIGH (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N). The technical issue is categorized as CWE-400 (Uncontrolled Resource Consumption) and involves SessionClicks not implementing proper restrictions on saving request parameters in HTTP sessions (NVD, Wiz).

The vulnerability allows remote attackers to consume system memory, which can lead to denial-of-service (DoS) conditions. This can be achieved through crafted HTTP requests targeting the SessionClicks functionality (NVD).

Fixed versions have been released to address this vulnerability: Liferay Portal 7.4.3.22, Liferay DXP 7.4 Update 10, and Liferay DXP 7.3 Update 26. Users are advised to upgrade to these patched versions (Liferay Security).