CVE-2025-48976

Опубликовано: 16 июн. 2025

Источник: debian

EPSS Низкий

Описание

Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.

Пакеты

Пакет	Статус	Версия исправления	Тип
libcommons-fileupload-java	unfixed		package
tomcat11	unfixed		package
tomcat10	unfixed		package
tomcat9	fixed	9.0.70-2	package

Примечания

Starting with 9.0.70-2 src:tomcat9 no longer ships the server stack, using that as the fixed version
https://lists.apache.org/thread/fbs3wrr3p67vkjcxogqqqqz45pqtso12
https://github.com/apache/tomcat/commit/74f69ffaf61e54c727603e7e831fe20f0ac5d2a7 (11.0.8)
https://github.com/apache/tomcat/commit/667ddd76e2a0e762f3a784d86f0d25e7fd7cdb86 (10.1.42)
https://github.com/apache/tomcat/commit/97790a35a27d236fa053e660676c3f8196284d93 (9.0.106)
https://github.com/apache/commons-fileupload/commit/2108495a4775910b8559f18ed5a779d60542ee96 (commons-fileupload-1.6.0-RC1)

EPSS

Процентиль: 3%

0.00018

Низкий

Связанные уязвимости

CVE-2025-48976

CVSS3: 5.3

redhat

3 дня назад

A denial-of-service (DoS) vulnerability has been discovered in the Apache Commons FileUpload library. The flaw stems from insufficient limits placed on multipart headers during file uploads. A remote attacker could exploit this by sending a specially crafted request with an excessively large number of multipart headers. This malicious input can lead to uncontrolled memory consumption within applications utilizing the library, exhausting system resources and causing a denial of service.

CVE-2025-48976

CVSS3: 7.5

nvd

3 дня назад

GHSA-vv7r-c36w-3prj

github

3 дня назад

Apache Commons FileUpload, Apache Commons FileUpload: FileUpload DoS via part headers

EPSS

Процентиль: 3%

0.00018

Низкий