CVE-2025-48976

EUVD-2025-18407
Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload.

This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4.

Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 79%
Affected Products (NVD)
VendorProductVersion
apachecommons_fileupload
1.0 ≤
𝑥
< 1.6
apachecommons_fileupload
2.0.0:m1
apachecommons_fileupload
2.0.0:m1-rc1
apachecommons_fileupload
2.0.0:m2
apachecommons_fileupload
2.0.0:m2-rc1
apachecommons_fileupload
2.0.0:m3
apachecommons_fileupload
2.0.0:m3-rc1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libcommons-fileupload-java
bookworm
no-dsa
bullseye
vulnerable
bullseye (security)
1.4-1+deb11u1
fixed
forky
vulnerable
sid
vulnerable
trixie
no-dsa
tomcat10
bookworm
10.1.52-1~deb12u1
fixed
bookworm (security)
10.1.52-1~deb12u1
fixed
forky
10.1.54-1
fixed
sid
10.1.54-1
fixed
trixie
10.1.52-1~deb13u1
fixed
trixie (security)
10.1.52-1~deb13u1
fixed
tomcat11
forky
11.0.21-1
fixed
sid
11.0.22-2
fixed
trixie
11.0.15-1~deb13u1
fixed
trixie (security)
11.0.15-1~deb13u1
fixed
tomcat9
bookworm
9.0.70-2
fixed
bullseye
vulnerable
bullseye (security)
9.0.107-0+deb11u2
fixed
forky
9.0.115-1
fixed
sid
9.0.115-1
fixed
trixie
9.0.95-1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
tomcat
RHEL 8
1:9.0.87-1.el8_10.6
fixed
RHEL 8.8 E4S
1:9.0.87-1.el8_8.7
fixed
RHEL 8.8 TUS
1:9.0.87-1.el8_8.7
fixed
RHEL 9
1:9.0.87-3.el9_6.3
fixed
tomcat-admin-webapps
RHEL 8
1:9.0.87-1.el8_10.6
fixed
RHEL 8.8 E4S
1:9.0.87-1.el8_8.7
fixed
RHEL 8.8 TUS
1:9.0.87-1.el8_8.7
fixed
RHEL 9
1:9.0.87-3.el9_6.3
fixed
tomcat-docs-webapp
RHEL 8
1:9.0.87-1.el8_10.6
fixed
RHEL 8.8 E4S
1:9.0.87-1.el8_8.7
fixed
RHEL 8.8 TUS
1:9.0.87-1.el8_8.7
fixed
RHEL 9
1:9.0.87-3.el9_6.3
fixed
tomcat-el-3.0-api
RHEL 8
1:9.0.87-1.el8_10.6
fixed
RHEL 8.8 E4S
1:9.0.87-1.el8_8.7
fixed
RHEL 8.8 TUS
1:9.0.87-1.el8_8.7
fixed
RHEL 9
1:9.0.87-3.el9_6.3
fixed
tomcat-jsp-2.3-api
RHEL 8
1:9.0.87-1.el8_10.6
fixed
RHEL 8.8 E4S
1:9.0.87-1.el8_8.7
fixed
RHEL 8.8 TUS
1:9.0.87-1.el8_8.7
fixed
RHEL 9
1:9.0.87-3.el9_6.3
fixed
tomcat-lib
RHEL 8
1:9.0.87-1.el8_10.6
fixed
RHEL 8.8 E4S
1:9.0.87-1.el8_8.7
fixed
RHEL 8.8 TUS
1:9.0.87-1.el8_8.7
fixed
RHEL 9
1:9.0.87-3.el9_6.3
fixed
tomcat-servlet-4.0-api
RHEL 8
1:9.0.87-1.el8_10.6
fixed
RHEL 8.8 E4S
1:9.0.87-1.el8_8.7
fixed
RHEL 8.8 TUS
1:9.0.87-1.el8_8.7
fixed
RHEL 9
1:9.0.87-3.el9_6.3
fixed
tomcat-webapps
RHEL 8
1:9.0.87-1.el8_10.6
fixed
RHEL 8.8 E4S
1:9.0.87-1.el8_8.7
fixed
RHEL 8.8 TUS
1:9.0.87-1.el8_8.7
fixed
RHEL 9
1:9.0.87-3.el9_6.3
fixed
Common Weakness Enumeration
References
https://lists.apache.org/thread/fbs3wrr3p67vkjcxogqqqqz45pqtso12
http://www.openwall.com/lists/oss-security/2025/06/16/4
https://lists.debian.org/debian-lts-announce/2025/07/msg00008.html
https://lists.debian.org/debian-lts-announce/2025/07/msg00009.html