CVE-2026-41284
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.
Overview
Apache Tomcat is an open-source implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Annotations, and Jakarta Authentication specifications, providing a pure Java HTTP web server environment for running Java code. It is one of the most widely used Java application servers.
A low-severity vulnerability (CVE-2026-41284) has been identified in the WebDAV servlet of Apache Tomcat. No limit was enforced on the request body for WebDAV LOCK or PROPFIND requests, both of which are reachable by unauthenticated clients when the WebDAV servlet is enabled. An attacker can send an oversized XML body and force Tomcat to allocate memory proportional to the body, leading to heap exhaustion and a denial-of-service condition.
Per OWASP: Denial of Service (DoS) attacks aim to make a system or service unavailable to legitimate users by consuming resources such as memory, CPU, network bandwidth, or file descriptors. In this case, an unauthenticated attacker can exhaust JVM heap memory by submitting an arbitrarily large WebDAV request body, preventing the server from processing further requests.
This issue affects versions 8.5.0 through 8.5.100, 9.0.0.M1 through 9.0.117, 10.1.0-M1 through 10.1.54, and 11.0.0-M1 through 11.0.21 of Apache Tomcat.
Details
Module Info
- Product: Apache Tomcat
- Affected packages: tomcat-catalina, tomcat-embed-core
- Affected versions: >=8.5.0 <=8.5.100, >=9.0.0.M1 <=9.0.117, >=10.1.0-M1 <=10.1.54, >=11.0.0-M1 <=11.0.21
- GitHub repository: https://github.com/apache/tomcat
- Published packages:
- Package manager: Maven
- Fixed in:
- NES for Apache Tomcat
- Apache Tomcat 11.0.22, 10.1.55, 9.0.118 (OSS)
Vulnerability Info
The vulnerability exists in WebdavServlet.java, which implements the WebDAV protocol on top of Tomcat's DefaultServlet. Two of the WebDAV methods, LOCK and PROPFIND, accept an XML request body and are reachable without authentication when the WebDAV servlet is enabled and the target resource is readable.
Before the fix, both doPropfind() and doLock() buffered the entire request body into an unbounded ByteArrayOutputStream before handing it to the XML parser:
byte[] body;
try (InputStream is = req.getInputStream(); ByteArrayOutputStream os = new ByteArrayOutputStream()) {
IOTools.flow(is, os);
body = os.toByteArray();
} catch (IOException ioe) {
resp.sendError(WebdavStatus.SC_BAD_REQUEST);
return;
}
No Content-Length header check is performed, and the buffer has no size cap. An unauthenticated client can submit a chunked or large-content-length body to a LOCK or PROPFIND endpoint and cause Tomcat to allocate memory proportional to the request body, eventually exhausting the JVM heap.
The patched version introduces a maxRequestBodySize init-param (default 4096 bytes) on the WebDAV servlet, a short-circuit that rejects requests whose declared Content-Length exceeds the limit with 413 Request Entity Too Large, and a BoundedByteArrayOutputStream that aborts buffering as soon as the cap is reached. The limit only applies to requests where the caller does not already have write access to the resource, preserving the ability of authenticated WebDAV write clients to submit larger property updates.
Mitigation
Only recent versions of Apache Tomcat are community-supported. Older versions (8.5.x and earlier) will not receive any updates to address this issue. NES for Tomcat includes an update to 8.5.x to address this issue. For more information, see here.
Users of the affected components should apply one of the following mitigations:
- Upgrade to a patched version of Apache Tomcat.
- Leverage a commercial support partner like HeroDevs for post-EOL security support.
