What is the CVSS score of CVE-2025-61795?

CVE-2025-61795 has a CVSS 3.1 base score of 5.3 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.1%.

Is there a patch available for CVE-2025-61795?

Yes, a patch is available for CVE-2025-61795. Update the affected software to the latest version immediately.

Apache Tomcat CVE-2025-61795

MEDIUM

Improper Resource Shutdown or Release (CWE-404)

2025-10-27 security@apache.org

Apache Information Disclosure Red Hat Tomcat Suse

5.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

May 12, 2026 - 13:33 vuln.today

CVE Published

Oct 27, 2025 - 18:15 nvd

MEDIUM 5.3

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

2 maven packages depend on org.apache.tomcat.embed:tomcat-embed-core (2 direct, 0 indirect)
2 maven packages depend on org.apache.tomcat:tomcat-catalina (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 11.0.0-M1 and other introduced versions.

DescriptionNVD

Improper Resource Shutdown or Release vulnerability in Apache Tomcat.

If an error occurred (including exceeding limits) during the processing of a multipart upload, temporary copies of the uploaded parts written to disc were not cleaned up immediately but left for the garbage collection process to delete. Depending on JVM settings, application memory usage and application load, it was possible that space for the temporary copies of uploaded parts would be filled faster than GC cleared it, leading to a DoS.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.11, from 10.1.0-M1 through 10.1.46, from 9.0.0.M1 through 9.0.109.

The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.12 or later, 10.1.47 or later or 9.0.110 or later which fixes the issue.

AnalysisAI

Denial of service in Apache Tomcat occurs when multipart upload errors leave temporary disk files uncleaned, allowing attackers to exhaust disk space faster than garbage collection reclaims it. Affected versions 8.5.0-8.5.100 (EOL), 9.0.0-M1-9.0.109, 10.1.0-M1-10.1.46, and 11.0.0-M1-11.0.11 require authenticated access (PR:L) and high attack complexity, making real-world exploitation limited despite the medium CVSS score.

Technical ContextAI

Apache Tomcat's multipart form data upload handler (RFC 2388) writes uploaded file parts to temporary disk storage during processing. The vulnerability lies in CWE-404 (Improper Resource Shutdown or Release), where exception handling during multipart processing fails to immediately delete temporary files. Instead of synchronous cleanup, Tomcat relies on Java garbage collection to invoke finalizers that remove these files. Under high load or with JVM settings that delay GC cycles, the rate of new temporary file creation can exceed the rate of GC-driven deletion, exhausting available disk space and causing service disruption. The condition is most severe when multipart limits are exceeded or parsing errors occur frequently, as each error leaves orphaned temporary files on disk.

RemediationAI

Upgrade to Apache Tomcat 9.0.110 or later, 10.1.47 or later, or 11.0.12 or later. For users unable to patch immediately, implement the following compensating controls with trade-offs: (1) Configure JVM heap and GC aggressively using flags such as '-XX:+UseG1GC -XX:MaxGCPauseMillis=50' to reduce GC delay, though this increases CPU overhead and latency; (2) Set strict multipart upload limits in Tomcat's connector configuration (maxPostSize, maxHttpHeaderSize) to reduce the likelihood of error conditions, but this may break legitimate large-file uploads; (3) Monitor disk usage on the Tomcat working directory (/path/to/catalina.base/work/) with alerting thresholds set to 80% capacity, enabling rapid detection and manual cleanup before DoS occurs; (4) Restrict multipart upload access to trusted internal networks via firewall rules, eliminating the network attack vector (AV:N) and converting the threat to local or authenticated-only. Consult https://lists.apache.org/thread/wm9mx8brmx9g4zpywm06ryrtvd3160pp for official guidance.