CVE-2025-3526
📋 TL;DR
This vulnerability in Liferay Portal and DXP allows remote attackers to cause denial-of-service by consuming system memory through crafted HTTP requests. Attackers can save unlimited request parameters in HTTP sessions, leading to memory exhaustion. All users running affected Liferay versions are vulnerable.
💻 Affected Systems
- Liferay Portal
- Liferay DXP
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability due to memory exhaustion, requiring server restart and potentially causing extended downtime.
Likely Case
Degraded performance and intermittent service disruptions as memory consumption increases.
If Mitigated
Minimal impact with proper memory monitoring and request filtering in place.
🎯 Exploit Status
Exploitation requires sending crafted HTTP requests but no authentication or special privileges needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Liferay Portal 7.4.3.22+; Liferay DXP 7.4 update 10+, 7.3 update 26+
Vendor Advisory: https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-3526
Restart Required: Yes
Instructions:
1. Download appropriate patch from Liferay customer portal. 2. Apply patch following Liferay's patching procedures. 3. Restart Liferay instance. 4. Verify patch application.
🔧 Temporary Workarounds
Request Filtering via WAF
allConfigure web application firewall to limit request parameter size and quantity
WAF-specific configuration commands vary by vendor
Session Size Limitation
allConfigure application server to limit HTTP session size
Tomcat: set maxActiveSessions and session-timeout in context.xml
Other app servers: consult vendor documentation
🧯 If You Can't Patch
- Implement rate limiting on HTTP requests to reduce attack surface
- Deploy memory monitoring with alerts for abnormal consumption patterns
🔍 How to Verify
Check if Vulnerable:
Check Liferay version via Control Panel → Configuration → Server Administration → System InformationCheck Version:
Check Liferay build number in $LIFERAY_HOME/tomcat-*/webapps/ROOT/WEB-INF/liferay-plugin-package.propertiesVerify Fix Applied:
Verify version is patched (7.4.3.22+ for Portal, 7.4 update 10+ or 7.3 update 26+ for DXP) and test with controlled memory consumption requests📡 Detection & Monitoring
Log Indicators:
- Abnormally high memory usage patterns
- Increased garbage collection activity
- OutOfMemoryError in logs
- Session creation spikes
Network Indicators:
- High volume of HTTP requests with many parameters
- Requests with abnormally large parameter payloads
SIEM Query:
source="liferay.logs" AND ("OutOfMemoryError" OR "java.lang.OutOfMemoryError" OR memory_usage > 90%)