Описание
Apache Tomcat - DoS in multipart upload
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105.
Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2025-48988
- https://github.com/apache/tomcat/commit/2b0ab14fb55d4edc896e5f1817f2ab76f714ae5e
- https://github.com/apache/tomcat/commit/cdde8e655bc1c5c60a07efd216251d77c52fd7f6
- https://github.com/apache/tomcat/commit/ee8042ffce4cb9324dfd79efda5984f37bbb6910
- https://lists.apache.org/thread/nzkqsok8t42qofgqfmck536mtyzygp18
- https://tomcat.apache.org/security-10.html
- https://tomcat.apache.org/security-11.html
- https://tomcat.apache.org/security-9.html
- http://www.openwall.com/lists/oss-security/2025/06/16/1
Пакеты
org.apache.tomcat:tomcat-catalina
>= 11.0.0-M1, <= 11.0.7
11.0.8
org.apache.tomcat:tomcat-catalina
>= 10.1.0-M1, <= 10.1.41
10.1.42
org.apache.tomcat:tomcat-catalina
>= 9.0.0.M1, <= 9.0.105
9.0.106
org.apache.tomcat.embed:tomcat-embed-core
>= 11.0.0-M1, <= 11.0.7
11.0.8
org.apache.tomcat.embed:tomcat-embed-core
>= 10.1.0-M1, <= 10.1.41
10.1.42
org.apache.tomcat.embed:tomcat-embed-core
>= 9.0.0.M1, <= 9.0.105
9.0.106
Связанные уязвимости
A denial-of-service (DoS) vulnerability has been identified in Apache Tomcat, concerning its handling of upload limits. A remote attacker could exploit this flaw by sending a specially crafted request containing an excessively large number of multipart sections. This malicious request can trigger excessive memory consumption on the Tomcat server, ultimately leading to resource exhaustion and a denial-of-service condition.
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
Allocation of Resources Without Limits or Throttling vulnerability in ...