CVE-2025-48976

| EUVD-2025-18407 HIGH
2025-06-16 [email protected] GHSA-vv7r-c36w-3prj
7.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 14, 2026 - 21:59 euvd
EUVD-2025-18407
Analysis Generated
Mar 14, 2026 - 21:59 vuln.today
CVE Published
Jun 16, 2025 - 15:15 nvd
HIGH 7.5

Tags

Apache Denial Of Service Java Commons Fileupload Redhat Suse

Description

Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.

Analysis

Apache Commons FileUpload contains a Denial of Service vulnerability in multipart header processing due to insufficient resource allocation limits (CWE-770). Affected versions are 1.0 through 1.5.x and 2.0.0-M1 through 2.0.0-M3. An unauthenticated remote attacker can exploit this with a network request to cause resource exhaustion and service unavailability without requiring user interaction or elevated privileges. CVSS 7.5 (High) reflects the high availability impact; KEV and EPSS data availability would determine exploitation likelihood in the wild.

Technical Context

Apache Commons FileUpload is a widely-used Java library for handling file uploads in web applications, particularly in servlet/JSP environments. The vulnerability exists in the multipart/form-data header parsing mechanism, which is invoked during HTTP file upload processing. The root cause (CWE-770: Allocation of Resources Without Limits or Throttling) indicates the parser fails to enforce adequate bounds on resource consumption when processing multipart headers. An attacker can craft malicious multipart requests with excessively large or numerous headers that cause the parser to allocate unbounded memory or CPU resources. This is a classic DoS vector in HTTP request handlers where header limits are not enforced. CPE strings would identify: cpe:2.3:a:apache:commons_fileupload:*:*:*:*:*:*:*:* (versions 1.0-1.5 and 2.0.0-M1 to 2.0.0-M3).

Affected Products

Commons FileUpload (1.0 through 1.5.x (inclusive)); Commons FileUpload (2.0.0-M1 through 2.0.0-M3 (inclusive))

Remediation

- action: Upgrade to patched version; details: Upgrade Apache Commons FileUpload to version 1.6 or later for 1.x branch, or to version 2.0.0-M4 or later for 2.x milestone builds. - action: Dependency management; details: For Maven users, update pom.xml dependency: <dependency><groupId>commons-fileupload</groupId><artifactId>commons-fileupload</artifactId><version>1.6</version></dependency> or <version>2.0.0-M4</version> - action: Interim mitigation (if immediate patching impossible); details: Implement application-level request size limits and multipart header count limits in the servlet container or reverse proxy (e.g., nginx, Apache httpd) to enforce maximum header size thresholds and reject oversized multipart requests before they reach FileUpload processing. - action: Monitor advisories; details: Monitor Apache Commons FileUpload security advisories and the CVE-2025-48976 tracking for any published POCs or active exploitation indicators that would accelerate patching timelines.

Priority Score

38
Low Medium High Critical
KEV: 0
EPSS: +0.4
CVSS: +38
POC: 0

Vendor Status

Ubuntu

Priority: Medium
libcommons-fileupload-java
Release Status Version
xenial needs-triage -
bionic needs-triage -
focal needs-triage -
jammy needs-triage -
noble needs-triage -
upstream needs-triage -
oracular ignored end of life, was needs-triage
questing needs-triage -
plucky ignored end of life, was needs-triage
tomcat10
Release Status Version
jammy DNE -
oracular ignored end of life, was needs-triage
noble needed -
upstream released 10.1.42
plucky ignored end of life, was needed
questing needed -
tomcat11
Release Status Version
jammy DNE -
noble DNE -
oracular DNE -
plucky DNE -
upstream released 11.0.8
questing needed -
tomcat9
Release Status Version
noble not-affected 9.0.70-2ubuntu0.1
oracular not-affected -
plucky not-affected -
upstream released 9.0.70-2
bionic needed -
focal needed -
jammy needed -
questing not-affected -

Debian

Bug #1108120
libcommons-fileupload-java
Release Status Fixed Version Urgency
bullseye fixed 1.4-1+deb11u1 -
bullseye (security) fixed 1.4-1+deb11u1 -
bookworm vulnerable 1.4-2 -
forky, sid, trixie vulnerable 1.5-1.1 -
(unstable) fixed (unfixed) -
tomcat10
Release Status Fixed Version Urgency
bookworm fixed 10.1.52-1~deb12u1 -
bookworm (security) fixed 10.1.52-1~deb12u1 -
trixie (security), trixie fixed 10.1.52-1~deb13u1 -
forky, sid fixed 10.1.52-1 -
trixie fixed 10.1.52-1~deb13u1 -
(unstable) fixed 10.1.46-1 -
tomcat11
Release Status Fixed Version Urgency
trixie (security), trixie fixed 11.0.15-1~deb13u1 -
forky, sid fixed 11.0.18-1 -
trixie fixed 11.0.15-1~deb13u1 -
(unstable) fixed 11.0.11-1 -
tomcat9
Release Status Fixed Version Urgency
bullseye fixed 9.0.107-0+deb11u1 -
bullseye (security) fixed 9.0.107-0+deb11u2 -
bookworm fixed 9.0.70-2 -
trixie fixed 9.0.95-1 -
forky, sid fixed 9.0.115-1 -
(unstable) fixed 9.0.70-2 -
DLA-4244-1 DLA-4245-1 DSA-6120-1 DSA-6121-1

Share

CVE-2025-48976 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy