CVE-2025-48976

EUVD-2025-18407
Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload.

This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4.

Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA-ADPADP
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 40%
Affected Products (NVD)
VendorProductVersion
apachecommons_fileupload
1.0 ≤
𝑥
< 1.6
apachecommons_fileupload
2.0.0:m1
apachecommons_fileupload
2.0.0:m1-rc1
apachecommons_fileupload
2.0.0:m2
apachecommons_fileupload
2.0.0:m2-rc1
apachecommons_fileupload
2.0.0:m3
apachecommons_fileupload
2.0.0:m3-rc1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libcommons-fileupload-java
bookworm
no-dsa
bullseye
vulnerable
bullseye (security)
1.4-1+deb11u1
fixed
forky
vulnerable
sid
vulnerable
trixie
no-dsa
tomcat10
bookworm
no-dsa
bookworm (security)
10.1.52-1~deb12u1
fixed
forky
10.1.52-1
fixed
sid
10.1.52-1
fixed
trixie
no-dsa
trixie (security)
10.1.52-1~deb13u1
fixed
tomcat11
bookworm
no-dsa
forky
11.0.18-1
fixed
sid
11.0.18-1
fixed
trixie
no-dsa
trixie (security)
11.0.15-1~deb13u1
fixed
tomcat9
bookworm
9.0.70-2
no-dsa
bullseye
vulnerable
bullseye (security)
9.0.107-0+deb11u2
fixed
forky
9.0.115-1
fixed
sid
9.0.115-1
fixed
trixie
9.0.95-1
no-dsa
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://lists.apache.org/thread/fbs3wrr3p67vkjcxogqqqqz45pqtso12
http://www.openwall.com/lists/oss-security/2025/06/16/4
https://lists.debian.org/debian-lts-announce/2025/07/msg00008.html
https://lists.debian.org/debian-lts-announce/2025/07/msg00009.html