CVE-2025-52520

| EUVD-2025-21044 HIGH
2025-07-10 [email protected] GHSA-wr62-c79q-cv37
7.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 16, 2026 - 06:52 euvd
EUVD-2025-21044
Analysis Generated
Mar 16, 2026 - 06:52 vuln.today
CVE Published
Jul 10, 2025 - 19:15 nvd
HIGH 7.5

Tags

Apache Tomcat Integer Overflow Java Denial Of Service Redhat Suse

Description

For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size limits. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.

Analysis

CVE-2025-52520 is an integer overflow vulnerability in Apache Tomcat's multipart upload handling that allows unauthenticated remote attackers to bypass size limits and trigger denial of service. The vulnerability affects Tomcat versions 11.0.0-M1 through 11.0.8, 10.1.0-M1 through 10.1.42, 9.0.0.M1 through 9.0.106, and EOL version 8.5.0 through 8.5.100, requiring only network access with no authentication. With a CVSS score of 7.5 (High severity) and an attack vector rated as Network/Low complexity, this represents a significant availability risk for unpatched deployments.

Technical Context

The vulnerability resides in Apache Tomcat's multipart form data upload processing mechanism (typically invoked via HTTP POST requests with Content-Type: multipart/form-data). The root cause is CWE-190 (Integer Overflow or Wraparound), where integer arithmetic operations on Content-Length or chunk size calculations fail to properly validate boundaries before multiplication or addition, causing wraparound to smaller values. This allows attackers to bypass configured maxPostSize or maxFileSize limits by crafting multipart requests with specially crafted size headers that overflow during integer calculations. The affected CPE would be cpe:2.3:a:apache:tomcat, with specific version ranges: 11.0.0-M1 through 11.0.8, 10.1.0-M1 through 10.1.42, 9.0.0.M1 through 9.0.106, and unsupported 8.5.0-8.5.100.

Affected Products

Apache Tomcat (['11.0.0-M1 through 11.0.8 (active support)', '10.1.0-M1 through 10.1.42 (active support)', '9.0.0.M1 through 9.0.106 (active support)', '8.5.0 through 8.5.100 (EOL at time of CVE publication)'])

Remediation

Upgrade to patched versions; details: ['Upgrade to Apache Tomcat 11.0.9 or later for 11.x branch', 'Upgrade to Apache Tomcat 10.1.43 or later for 10.1.x branch', 'Upgrade to Apache Tomcat 9.0.107 or later for 9.0.x branch', 'Note: Version 8.5.x is EOL; consider migrating to supported versions rather than applying backports'] Workaround: Reduce attack surface if patching is delayed; details: ['Disable multipart form upload handling if not required by application', 'Implement strict Content-Length validation at reverse proxy/load balancer level before traffic reaches Tomcat', 'Configure firewall rules to restrict POST requests with multipart/form-data content type to trusted sources only', 'Monitor access logs for unusually large Content-Length headers in POST requests'] Vendor Advisory: Consult official Apache Tomcat security documentation; details: Refer to Apache Tomcat Security Documentation and release notes for versions 11.0.9, 10.1.43, and 9.0.107 for detailed patch information and changelog entries related to CVE-2025-52520

Priority Score

38
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +38
POC: 0

Vendor Status

Ubuntu

Priority: Medium
tomcat10
Release Status Version
jammy DNE -
noble needed -
upstream released 10.1.43
plucky ignored end of life, was needed
questing needed -
tomcat11
Release Status Version
jammy DNE -
noble DNE -
plucky DNE -
upstream released 11.0.9
questing needed -
tomcat9
Release Status Version
noble not-affected 9.0.70-2ubuntu0.1
plucky not-affected -
upstream released 9.0.70-2
bionic needed -
focal needed -
jammy needed -
questing not-affected -

Debian

Bug #1109112
tomcat10
Release Status Fixed Version Urgency
bookworm fixed 10.1.52-1~deb12u1 -
bookworm (security) fixed 10.1.52-1~deb12u1 -
trixie (security), trixie fixed 10.1.52-1~deb13u1 -
forky, sid fixed 10.1.52-1 -
trixie fixed 10.1.52-1~deb13u1 -
(unstable) fixed 10.1.46-1 -
tomcat11
Release Status Fixed Version Urgency
trixie (security), trixie fixed 11.0.15-1~deb13u1 -
forky, sid fixed 11.0.18-1 -
trixie fixed 11.0.15-1~deb13u1 -
(unstable) fixed 11.0.11-1 -
tomcat9
Release Status Fixed Version Urgency
bullseye fixed 9.0.107-0+deb11u1 -
bullseye (security) fixed 9.0.107-0+deb11u2 -
bookworm fixed 9.0.70-2 -
trixie fixed 9.0.95-1 -
forky, sid fixed 9.0.115-1 -
(unstable) fixed 9.0.70-2 -
DLA-4244-1 DSA-6120-1 DSA-6121-1

Share

CVE-2025-52520 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy