CVE-2025-48976

Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload.

This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4.

Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
UNKNOWN
---
apacheCNA
---
---
CVEADP
---
---
CISA-ADPADP
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Debian logo
Debian Releases
Debian Product
Codename
libcommons-fileupload-java
bullseye
vulnerable
bookworm
vulnerable
sid
vulnerable
trixie
vulnerable
tomcat10
bookworm
vulnerable
bookworm (security)
vulnerable
sid
vulnerable
trixie
vulnerable
tomcat11
sid
vulnerable
trixie
vulnerable
tomcat9
bullseye
vulnerable
bullseye (security)
vulnerable
bookworm
9.0.70-2
fixed
sid
9.0.95-1
fixed
trixie
9.0.95-1
fixed
Vulnerability Media Exposure
References
https://lists.apache.org/thread/fbs3wrr3p67vkjcxogqqqqz45pqtso12
http://www.openwall.com/lists/oss-security/2025/06/16/4