A number of crucial safety vulnerabilities affecting Apache Tomcat internet servers, together with two high-severity flaws enabling denial-of-service (DoS) assaults and one moderate-severity vulnerability permitting authentication bypass.
These vulnerabilities, recognized as CVE-2025-48976, CVE-2025-48988, CVE-2025-49124, and CVE-2025-49125, affect hundreds of thousands of internet functions worldwide working on affected Tomcat variations spanning from 9.0.x to 11.0.x collection.
The vulnerabilities have been reported on June 16, 2025, by safety researcher Mark Thomas, with speedy patches accessible throughout all affected model branches.
CVE-2025-48976: Reminiscence Exhaustion through Multipart Header Exploitation
The CVE-2025-48976 vulnerability stems from a set reminiscence allocation limitation in Apache Commons FileUpload, a part integral to Tomcat’s multipart request processing.
Previous to patching, the library enforced a hard-coded 10kB restrict for particular person half headers inside multipart requests. Attackers may craft requests containing quite a few elements with headers approaching this restrict, forcing Tomcat to allocate extreme reminiscence proportional to the variety of elements.
As an illustration, a request containing 1,000 elements would devour roughly 10MB of reminiscence solely for headers, probably triggering out-of-memory errors and repair disruption.
Affected variations embody Tomcat 9.0.0.M1–9.0.105, 10.1.0-M1–10.1.41, and 11.0.0-M1–11.0.7.
CVE-2025-48988: Multipart Add Useful resource Exhaustion
CVE-2025-48988 exploits Tomcat’s failure to distinguish between request parameters and multipart elements when implementing dimension limits.
Not like normal parameters, multipart elements embody headers that persist in reminiscence all through request processing.
Attackers may ship requests with a excessive half depend (e.g., 10,000 elements), every with minimal payload however headers consuming ~500 bytes. This is able to allocate ~5MB per request, enabling fast reminiscence exhaustion.
The vulnerability’s severity is compounded by Tomcat’s default dealing with of concurrent connections, permitting attackers to amplify affect by means of parallel requests.
CVE-2025-49124: Home windows Installer Aspect-Loading Threat
CVE-2025-49124 targets the Tomcat Home windows installer’s insecure invocation of icacls.exe, a utility for modifying entry management lists (ACLs).
By omitting the total path to C:WindowsSystem32icacls.exe, the installer turns into weak to PATH surroundings variable manipulation. An attacker with write entry to directories earlier within the PATH may place a malicious icacls.exe, which the installer would execute throughout Tomcat setup.
This privilege escalation vector may allow unauthorized service configuration modifications or persistence mechanisms.
CVE-2025-49125: Safety Constraint Bypass in Useful resource Mounting
The CVE-2025-49125 vulnerability permits attackers to bypass authentication and authorization controls for PreResources and PostResources configured exterior the net utility root.
The difficulty arises from Tomcat’s failure to normalize useful resource paths earlier than making use of safety insurance policies, enabling URL manipulation assaults.
Quick Patching Required
Organizations should prioritize speedy updates to handle these vulnerabilities. The Apache Software program Basis has launched patches throughout all affected model branches: Apache Tomcat 11.0.8, Apache Tomcat 10.1.42, and Apache Tomcat 9.0.106.
These updates introduce configurable limits, together with maxPartHeaderSize (default 512 bytes) and maxPartCount (default 10 elements) parameters on the Connector configuration.
System directors ought to confirm their Tomcat installations and implement configuration modifications to the server.xml file, particularly adjusting Connector parameters to forestall useful resource exhaustion assaults whereas sustaining utility performance.
Reside Credential Theft Assault Unmask & Immediate Protection – Free Webinar
