EUVD-2025-21044
GHSA-wr62-c79q-cv37
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4Blast Radius
ecosystem impact- 2 maven packages depend on org.apache.tomcat.embed:tomcat-embed-core (2 direct, 0 indirect)
- 2 maven packages depend on org.apache.tomcat:tomcat-catalina (2 direct, 0 indirect)
Ecosystem-wide dependent count for version 11.0.0-M1 and other introduced versions.
DescriptionNVD
For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size limits.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected.
Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.
AnalysisAI
CVE-2025-52520 is an integer overflow vulnerability in Apache Tomcat's multipart upload handling that allows unauthenticated remote attackers to bypass size limits and trigger denial of service. The vulnerability affects Tomcat versions 11.0.0-M1 through 11.0.8, 10.1.0-M1 through 10.1.42, 9.0.0.M1 through 9.0.106, and EOL version 8.5.0 through 8.5.100, requiring only network access with no authentication. With a CVSS score of 7.5 (High severity) and an attack vector rated as Network/Low complexity, this represents a significant availability risk for unpatched deployments.
Technical ContextAI
The vulnerability resides in Apache Tomcat's multipart form data upload processing mechanism (typically invoked via HTTP POST requests with Content-Type: multipart/form-data). The root cause is CWE-190 (Integer Overflow or Wraparound), where integer arithmetic operations on Content-Length or chunk size calculations fail to properly validate boundaries before multiplication or addition, causing wraparound to smaller values. This allows attackers to bypass configured maxPostSize or maxFileSize limits by crafting multipart requests with specially crafted size headers that overflow during integer calculations. The affected CPE would be cpe:2.3:a:apache:tomcat, with specific version ranges: 11.0.0-M1 through 11.0.8, 10.1.0-M1 through 10.1.42, 9.0.0.M1 through 9.0.106, and unsupported 8.5.0-8.5.100.
RemediationAI
Upgrade to patched versions; details: ['Upgrade to Apache Tomcat 11.0.9 or later for 11.x branch', 'Upgrade to Apache Tomcat 10.1.43 or later for 10.1.x branch', 'Upgrade to Apache Tomcat 9.0.107 or later for 9.0.x branch', 'Note: Version 8.5.x is EOL; consider migrating to supported versions rather than applying backports'] Workaround: Reduce attack surface if patching is delayed; details: ['Disable multipart form upload handling if not required by application', 'Implement strict Content-Length validation at reverse proxy/load balancer level before traffic reaches Tomcat', 'Configure firewall rules to restrict POST requests with multipart/form-data content type to trusted sources only', 'Monitor access logs for unusually large Content-Length headers in POST requests'] Vendor Advisory: Consult official Apache Tomcat security documentation; details: Refer to Apache Tomcat Security Documentation and release notes for versions 11.0.9, 10.1.43, and 9.0.107 for detailed patch information and changelog entries related to CVE-2025-52520
More from same product – last 7 days
Path traversal in Apache Ignite 2.0.0 through 2.17.0 lets authenticated REST API users read arbitrary files on the serve
Command injection in the shell-quote npm package allows attackers who can influence object-token inputs to inject arbitr
Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers
Code execution via Groovy sandbox bypass in Apache Syncope 3.0 through 3.0.16, 4.0 through 4.0.5, and 4.1.0 allows a hig
Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0
Vendor StatusVendor
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| jammy | DNE | - |
| noble | needed | - |
| upstream | released | 10.1.43 |
| plucky | ignored | end of life, was needed |
| questing | needed | - |
| Release | Status | Version |
|---|---|---|
| jammy | DNE | - |
| noble | DNE | - |
| plucky | DNE | - |
| upstream | released | 11.0.9 |
| questing | needed | - |
| Release | Status | Version |
|---|---|---|
| noble | not-affected | 9.0.70-2ubuntu0.1 |
| plucky | not-affected | - |
| upstream | released | 9.0.70-2 |
| bionic | needed | - |
| focal | needed | - |
| jammy | needed | - |
| questing | not-affected | - |
Debian
Bug #1109112| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bookworm | fixed | 10.1.52-1~deb12u1 | - |
| bookworm (security) | fixed | 10.1.52-1~deb12u1 | - |
| trixie (security), trixie | fixed | 10.1.52-1~deb13u1 | - |
| forky, sid | fixed | 10.1.52-1 | - |
| trixie | fixed | 10.1.52-1~deb13u1 | - |
| (unstable) | fixed | 10.1.46-1 | - |
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| trixie (security), trixie | fixed | 11.0.15-1~deb13u1 | - |
| forky, sid | fixed | 11.0.18-1 | - |
| trixie | fixed | 11.0.15-1~deb13u1 | - |
| (unstable) | fixed | 11.0.11-1 | - |
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | fixed | 9.0.107-0+deb11u1 | - |
| bullseye (security) | fixed | 9.0.107-0+deb11u2 | - |
| bookworm | fixed | 9.0.70-2 | - |
| trixie | fixed | 9.0.95-1 | - |
| forky, sid | fixed | 9.0.115-1 | - |
| (unstable) | fixed | 9.0.70-2 | - |
Share
External POC / Exploit Code
Leaving vuln.today