CVE-2025-48976

Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload.

This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4.

Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
apacheCNA
---
---
CVEADP
---
---
CISA-ADPADP
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 19%
VendorProductVersion
apachecommons_fileupload
1.0 ≤
𝑥
< 1.6
apachecommons_fileupload
2.0.0:m1
apachecommons_fileupload
2.0.0:m1-rc1
apachecommons_fileupload
2.0.0:m2
apachecommons_fileupload
2.0.0:m2-rc1
apachecommons_fileupload
2.0.0:m3
apachecommons_fileupload
2.0.0:m3-rc1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libcommons-fileupload-java
bullseye
vulnerable
bookworm
no-dsa
bullseye (security)
1.4-1+deb11u1
fixed
trixie
vulnerable
sid
vulnerable
tomcat10
bookworm
no-dsa
bookworm (security)
vulnerable
trixie
vulnerable
sid
vulnerable
tomcat11
trixie
vulnerable
sid
vulnerable
bookworm
no-dsa
tomcat9
bullseye
vulnerable
bookworm
9.0.70-2
no-dsa
bullseye (security)
9.0.107-0+deb11u1
fixed
trixie
9.0.95-1
fixed
sid
9.0.95-1
fixed
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://lists.apache.org/thread/fbs3wrr3p67vkjcxogqqqqz45pqtso12
http://www.openwall.com/lists/oss-security/2025/06/16/4