VYPR
← All advisories
High severityNVD Advisory· Published Jun 16, 2025· Updated Jun 16, 2025

CVE-2025-3526

CVE-2025-3526

Description

SessionClicks in Liferay Portal 7.0.0 through 7.4.3.21, and Liferay DXP 7.4 GA through update 9, 7.3 GA through update 25, and older unsupported versions does not restrict the saving of request parameters in the HTTP session, which allows remote attackers to consume system memory leading to denial-of-service (DoS) conditions via crafted HTTP requests.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
com.liferay.portal:com.liferay.portal.kernelMaven
< 38.0.038.0.0

Affected products

2

Patches

3
b40fe110eb9d

LPS-144246 SF, flip to be consistent

https://github.com/liferay/liferay-portalDante WangJan 21, 2022via ghsa
commit
1 file changed · +12 12
  • portal-kernel/src/com/liferay/portal/kernel/util/SessionClicks.java+12 12 modified
    @@ -148,21 +148,21 @@ public static void put(
 	}
 
 	private static boolean _isValidKeyValue(String key, String value) {
-		if ((key.length() > _SESSION_CLICKS_MAX_SIZE_TERMS) ||
-			(value.length() > _SESSION_CLICKS_MAX_SIZE_TERMS)) {
-
-			if (_log.isWarnEnabled()) {
-				_log.warn(
-					StringBundler.concat(
-						"Session clicks has attempted to exceed the maximum ",
-						"size allowed for keys or values with {key=", key,
-						", value=", value, "}"));
-			}
+		if ((key.length() <= _SESSION_CLICKS_MAX_SIZE_TERMS) &&
+			(value.length() <= _SESSION_CLICKS_MAX_SIZE_TERMS)) {
 
-			return false;
+			return true;
 		}
 
-		return true;
+		if (_log.isWarnEnabled()) {
+			_log.warn(
+				StringBundler.concat(
+					"Session clicks has attempted to exceed the maximum size ",
+					"allowed for keys or values with {key=", key, ", value=",
+					value, "}"));
+		}
+
+		return false;
 	}
 
 	private static boolean _isValidSize(int size, String key, String value) {
d9108a12269e

LPS-144246 SF, extract common logic

https://github.com/liferay/liferay-portalDante WangJan 21, 2022via ghsa
commit
1 file changed · +29 34
  • portal-kernel/src/com/liferay/portal/kernel/util/SessionClicks.java+29 34 modified
    @@ -85,17 +85,7 @@ public static void put(
 		HttpServletRequest httpServletRequest, String namespace, String key,
 		String value) {
 
-		if ((key.length() > _SESSION_CLICKS_MAX_SIZE_TERMS) ||
-			(value.length() > _SESSION_CLICKS_MAX_SIZE_TERMS)) {
-
-			if (_log.isWarnEnabled()) {
-				_log.warn(
-					StringBundler.concat(
-						"Session clicks has attempted to exceed the maximum ",
-						"size allowed for keys or values with {key=", key,
-						", value=", value, "}"));
-			}
-
+		if (!_isValidKeyValue(key, value)) {
 			return;
 		}
 
@@ -107,18 +97,9 @@ public static void put(
 
 				int size = portalPreferences.size();
 
-				if (size < _SESSION_CLICKS_MAX_ALLOWED_VALUES) {
+				if (_isValidSize(size, key, value)) {
 					portalPreferences.setValue(namespace, key, value);
 				}
-				else {
-					if (_log.isWarnEnabled()) {
-						_log.warn(
-							StringBundler.concat(
-								"Session clicks has attempted to exceed the ",
-								"maximum number of allowed values with {key=",
-								key, ", value=", value, "}"));
-					}
-				}
 
 				break;
 			}
@@ -144,17 +125,7 @@ public static void put(HttpSession httpSession, String key, String value) {
 	public static void put(
 		HttpSession httpSession, String namespace, String key, String value) {
 
-		if ((key.length() > _SESSION_CLICKS_MAX_SIZE_TERMS) ||
-			(value.length() > _SESSION_CLICKS_MAX_SIZE_TERMS)) {
-
-			if (_log.isWarnEnabled()) {
-				_log.warn(
-					StringBundler.concat(
-						"Session clicks has attempted to exceed the maximum ",
-						"size allowed for keys or values with {key=", key,
-						", value=", value, "}"));
-			}
-
+		if (!_isValidKeyValue(key, value)) {
 			return;
 		}
 
@@ -168,13 +139,35 @@ public static void put(
 			size++;
 		}
 
-		if (size < _SESSION_CLICKS_MAX_ALLOWED_VALUES) {
+		if (_isValidSize(size, key, value)) {
 			String sessionKey = StringBundler.concat(
 				namespace, StringPool.COLON, key);
 
 			httpSession.setAttribute(sessionKey, value);
+		}
+	}
 
-			return;
+	private static boolean _isValidKeyValue(String key, String value) {
+		if ((key.length() > _SESSION_CLICKS_MAX_SIZE_TERMS) ||
+			(value.length() > _SESSION_CLICKS_MAX_SIZE_TERMS)) {
+
+			if (_log.isWarnEnabled()) {
+				_log.warn(
+					StringBundler.concat(
+						"Session clicks has attempted to exceed the maximum ",
+						"size allowed for keys or values with {key=", key,
+						", value=", value, "}"));
+			}
+
+			return false;
+		}
+
+		return true;
+	}
+
+	private static boolean _isValidSize(int size, String key, String value) {
+		if (size < _SESSION_CLICKS_MAX_ALLOWED_VALUES) {
+			return true;
 		}
 
 		if (_log.isWarnEnabled()) {
@@ -184,6 +177,8 @@ public static void put(
 					"number of allowed values with {key=", key, ", value=",
 					value, "}"));
 		}
+
+		return false;
 	}
 
 	private static final String _DEFAULT_NAMESPACE =
429834b7cf7c

LPS-144246 Add size and number check to put(HttpSession, ...)

https://github.com/liferay/liferay-portalDante WangJan 5, 2022via ghsa
commit
1 file changed · +40 3
  • portal-kernel/src/com/liferay/portal/kernel/util/SessionClicks.java+40 3 modified
    @@ -22,6 +22,7 @@
 import com.liferay.portal.kernel.portlet.PortletPreferencesFactoryUtil;
 
 import java.util.ConcurrentModificationException;
+import java.util.Enumeration;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpSession;
@@ -143,10 +144,46 @@ public static void put(HttpSession httpSession, String key, String value) {
 	public static void put(
 		HttpSession httpSession, String namespace, String key, String value) {
 
-		String sessionKey = StringBundler.concat(
-			namespace, StringPool.COLON, key);
+		if ((key.length() > _SESSION_CLICKS_MAX_SIZE_TERMS) ||
+			(value.length() > _SESSION_CLICKS_MAX_SIZE_TERMS)) {
+
+			if (_log.isWarnEnabled()) {
+				_log.warn(
+					StringBundler.concat(
+						"Session clicks has attempted to exceed the maximum ",
+						"size allowed for keys or values with {key=", key,
+						", value=", value, "}"));
+			}
+
+			return;
+		}
+
+		Enumeration<String> enumeration = httpSession.getAttributeNames();
+
+		int size = 0;
+
+		while (enumeration.hasMoreElements()) {
+			enumeration.nextElement();
+
+			size++;
+		}
 
-		httpSession.setAttribute(sessionKey, value);
+		if (size < _SESSION_CLICKS_MAX_ALLOWED_VALUES) {
+			String sessionKey = StringBundler.concat(
+				namespace, StringPool.COLON, key);
+
+			httpSession.setAttribute(sessionKey, value);
+
+			return;
+		}
+
+		if (_log.isWarnEnabled()) {
+			_log.warn(
+				StringBundler.concat(
+					"Session clicks has attempted to exceed the maximum ",
+					"number of allowed values with {key=", key, ", value=",
+					value, "}"));
+		}
 	}
 
 	private static final String _DEFAULT_NAMESPACE =

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.