Listen to this Post
How the CVE Works:
The vulnerability exists in Liferay Portal’s `SessionClicks` component, which fails to restrict the storage of arbitrary request parameters in the HTTP session. Attackers can send crafted HTTP requests containing excessive or malicious parameters, forcing the server to store them in the session. This uncontrolled session data accumulation leads to memory exhaustion, resulting in a denial-of-service (DoS) condition. The flaw affects Liferay Portal 7.0.0 through 7.4.3.21 and Liferay DXP 7.4 GA (update 9) and earlier versions.
DailyCVE Form:
Platform: Liferay Portal
Version: < 38.0.0
Vulnerability: Session Parameter Handling
Severity: High
Date: Jun 16, 2025
Prediction: Patch by Jul 2025
What Undercode Say:
curl -X GET "http://vulnerable-liferay/endpoint?malicious=param"
// Example of session parameter injection
request.getSession().setAttribute("exploit", largePayload);
How Exploit:
Craft HTTP requests with oversized or repeated parameters to exhaust server memory.
Protection from this CVE:
Upgrade to Liferay Portal 38.0.0 or apply patches.
Impact:
Memory exhaustion leading to DoS.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
