Skip to main content

Java CVE-2025-48976

| EUVDEUVD-2025-18407 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2025-06-16 security@apache.org GHSA-vv7r-c36w-3prj
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM
qualitative
SUSE
HIGH
qualitative
Red Hat
5.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 14, 2026 - 21:59 euvd
EUVD-2025-18407
Analysis Generated
Mar 14, 2026 - 21:59 vuln.today
CVE Published
Jun 16, 2025 - 15:15 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 247 maven packages depend on commons-fileupload:commons-fileupload (43 direct, 205 indirect)
  • 815 maven packages depend on org.apache.commons:commons-fileupload2-core (7 direct, 808 indirect)

Ecosystem-wide dependent count for version 1.0 and other introduced versions.

DescriptionCVE.org

Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload.

This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4.

Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.

AnalysisAI

Apache Commons FileUpload contains a Denial of Service vulnerability in multipart header processing due to insufficient resource allocation limits (CWE-770). Affected versions are 1.0 through 1.5.x and 2.0.0-M1 through 2.0.0-M3. An unauthenticated remote attacker can exploit this with a network request to cause resource exhaustion and service unavailability without requiring user interaction or elevated privileges. CVSS 7.5 (High) reflects the high availability impact; KEV and EPSS data availability would determine exploitation likelihood in the wild.

Technical ContextAI

Apache Commons FileUpload is a widely-used Java library for handling file uploads in web applications, particularly in servlet/JSP environments. The vulnerability exists in the multipart/form-data header parsing mechanism, which is invoked during HTTP file upload processing. The root cause (CWE-770: Allocation of Resources Without Limits or Throttling) indicates the parser fails to enforce adequate bounds on resource consumption when processing multipart headers. An attacker can craft malicious multipart requests with excessively large or numerous headers that cause the parser to allocate unbounded memory or CPU resources. This is a classic DoS vector in HTTP request handlers where header limits are not enforced. CPE strings would identify: cpe:2.3:a:apache:commons_fileupload:*:*:*:*:*:*:*:* (versions 1.0-1.5 and 2.0.0-M1 to 2.0.0-M3).

RemediationAI

  • action: Upgrade to patched version; details: Upgrade Apache Commons FileUpload to version 1.6 or later for 1.x branch, or to version 2.0.0-M4 or later for 2.x milestone builds.
  • action: Dependency management; details: For Maven users, update pom.xml dependency: <dependency><groupId>commons-fileupload</groupId><artifactId>commons-fileupload</artifactId><version>1.6</version></dependency> or <version>2.0.0-M4</version>
  • action: Interim mitigation (if immediate patching impossible); details: Implement application-level request size limits and multipart header count limits in the servlet container or reverse proxy (e.g., nginx, Apache httpd) to enforce maximum header size thresholds and reject oversized multipart requests before they reach FileUpload processing.
  • action: Monitor advisories; details: Monitor Apache Commons FileUpload security advisories and the CVE-2025-48976 tracking for any published POCs or active exploitation indicators that would accelerate patching timelines.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Vendor StatusVendor

Ubuntu

Priority: Medium
libcommons-fileupload-java
Release Status Version
xenial needs-triage -
bionic needs-triage -
focal needs-triage -
jammy needs-triage -
noble needs-triage -
upstream needs-triage -
oracular ignored end of life, was needs-triage
questing needs-triage -
plucky ignored end of life, was needs-triage
tomcat10
Release Status Version
jammy DNE -
oracular ignored end of life, was needs-triage
noble needed -
upstream released 10.1.42
plucky ignored end of life, was needed
questing needed -
tomcat11
Release Status Version
jammy DNE -
noble DNE -
oracular DNE -
plucky DNE -
upstream released 11.0.8
questing needed -
tomcat9
Release Status Version
noble not-affected 9.0.70-2ubuntu0.1
oracular not-affected -
plucky not-affected -
upstream released 9.0.70-2
bionic needed -
focal needed -
jammy needed -
questing not-affected -

Debian

Bug #1108120
libcommons-fileupload-java
Release Status Fixed Version Urgency
bullseye fixed 1.4-1+deb11u1 -
bullseye (security) fixed 1.4-1+deb11u1 -
bookworm vulnerable 1.4-2 -
forky, sid, trixie vulnerable 1.5-1.1 -
(unstable) fixed (unfixed) -
tomcat10
Release Status Fixed Version Urgency
bookworm fixed 10.1.52-1~deb12u1 -
bookworm (security) fixed 10.1.52-1~deb12u1 -
trixie (security), trixie fixed 10.1.52-1~deb13u1 -
forky, sid fixed 10.1.52-1 -
trixie fixed 10.1.52-1~deb13u1 -
(unstable) fixed 10.1.46-1 -
tomcat11
Release Status Fixed Version Urgency
trixie (security), trixie fixed 11.0.15-1~deb13u1 -
forky, sid fixed 11.0.18-1 -
trixie fixed 11.0.15-1~deb13u1 -
(unstable) fixed 11.0.11-1 -
tomcat9
Release Status Fixed Version Urgency
bullseye fixed 9.0.107-0+deb11u1 -
bullseye (security) fixed 9.0.107-0+deb11u2 -
bookworm fixed 9.0.70-2 -
trixie fixed 9.0.95-1 -
forky, sid fixed 9.0.115-1 -
(unstable) fixed 9.0.70-2 -

SUSE

Severity: High
Product Status
Container suse/manager/5.0/x86_64/server:5.0.5.7.30.1 Container suse/multi-linux-manager/5.1/x86_64/server:5.1.0.6.40 Image SLES15-SP4-Manager-Server-4-3-BYOS Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2 Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE Affected
SUSE Enterprise Storage 7.1 Fixed
SUSE Liberty Linux 8 Fixed
SUSE Liberty Linux 9 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS Fixed

Share

CVE-2025-48976 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy