How to fix CVE-2025-48988?

Within 24 hours: Inventory all Tomcat instances and document current versions; assess whether affected versions are in production. Within 7 days: Develop and test patching plan for affected systems; prioritize production environments. Within 30 days: Complete deployment of Tomcat 9.0.106, 10.1.42, or 11.0.8 across all affected systems; verify patches in staging before production rollout.

Is Tomcat affected by CVE-2025-48988?

Apache Tomcat versions 8.5.0-11.0.7 contain a resource exhaustion vulnerability that could allow attackers to consume server resources without limits, potentially causing denial of service. Organizations running affected Tomcat instances face operational disruption risk until patching is completed.

CVE-2025-48988

EUVD-2025-18409 HIGH

2025-06-16 [email protected]

GHSA-h3gc-qfqq-6h8f

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 14, 2026 - 21:59 vuln.today

EUVD ID Assigned

Mar 14, 2026 - 21:59 euvd

EUVD-2025-18409

CVE Published

Jun 16, 2025 - 15:15 nvd

HIGH 7.5

Description

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

Analysis

A remote code execution vulnerability in Apache Tomcat (CVSS 7.5). High severity vulnerability requiring prompt remediation.

Technical Context

Vulnerability type: remote code execution. CVSS 7.5 indicates high severity. Affects Apache Tomcat.

Affected Products

['Apache Tomcat']

Remediation

Monitor vendor channels for patch availability.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.3

CVSS: +38

POC: 0

Vendor Status

Ubuntu

Priority: Medium

tomcat10

Release	Status	Version
jammy	DNE	-
oracular	ignored	end of life, was needs-triage
noble	needed	-
upstream	released	10.1.42
plucky	ignored	end of life, was needed
questing	needed	-

tomcat11

Release	Status	Version
jammy	DNE	-
noble	DNE	-
oracular	DNE	-
plucky	DNE	-
upstream	released	11.0.8
questing	needed	-

tomcat9

Release	Status	Version
noble	not-affected	9.0.70-2ubuntu0.1
oracular	not-affected	-
plucky	not-affected	-
upstream	released	9.0.70-2
bionic	needed	-
focal	needed	-
jammy	needed	-
questing	not-affected	-

Debian

Bug #1108117

tomcat10

Release	Status	Fixed Version	Urgency
bookworm	fixed	10.1.52-1~deb12u1	-
bookworm (security)	fixed	10.1.52-1~deb12u1	-
trixie (security), trixie	fixed	10.1.52-1~deb13u1	-
forky, sid	fixed	10.1.52-1	-
trixie	fixed	10.1.52-1~deb13u1	-
(unstable)	fixed	10.1.46-1	-

tomcat11

Release	Status	Fixed Version	Urgency
trixie (security), trixie	fixed	11.0.15-1~deb13u1	-
forky, sid	fixed	11.0.18-1	-
trixie	fixed	11.0.15-1~deb13u1	-
(unstable)	fixed	11.0.11-1	-

tomcat9

Release	Status	Fixed Version	Urgency
bullseye	fixed	9.0.107-0+deb11u1	-
bullseye (security)	fixed	9.0.107-0+deb11u2	-
bookworm	fixed	9.0.70-2	-
trixie	fixed	9.0.95-1	-
forky, sid	fixed	9.0.115-1	-
(unstable)	fixed	9.0.70-2	-

DLA-4244-1 DSA-6120-1 DSA-6121-1

CVE-2025-48988 vulnerability details – vuln.today

Back

CVE-2025-48988

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

CVE-2025-48988

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

External POC / Exploit Code