Ddos 
The Apache Software Foundation has disclosed four security vulnerabilities affecting multiple versions of Apache Tomcat, the widely used open-source Java servlet container. These flaws—ranging from denial of service (DoS) conditions to privilege bypass and installer abuse—impact Tomcat versions 9.0, 10.1, and 11.0.
CVE-2025-48976 – DoS via Multipart Header Overload
Apache Commons FileUpload previously enforced a hard-coded 10kB limit for multipart header sizes. A malicious request containing a large number of multipart headers could consume excessive memory, resulting in denial of service.
“A specially crafted request that used a large number of parts with large headers could trigger excessive memory usage leading to a DoS,” the advisory explains.
The issue is mitigated by making the limit configurable via the maxPartHeaderSize connector attribute, now defaulting to just 512 bytes.
CVE-2025-48988 – Multipart Upload Abuse Enables DoS
This vulnerability also involves multipart uploads but focuses on the overall number of parts rather than just header size. Because Tomcat previously shared a memory limit between request parameters and parts, attackers could flood servers with part-heavy uploads to drain memory and crash services.
“Processing multipart requests can result in significantly more memory usage… a specially crafted request that used a large number of parts could trigger excessive memory usage leading to a DoS,” the advisory writes.
Mitigation now includes a new setting: maxPartCount, with a default of 10 parts.
CVE-2025-49124 – Windows Installer Side-Loading Risk
On Windows systems, the Tomcat installer used icacls.exe without specifying a full path, potentially allowing a side-loading attack if a malicious executable with the same name was present in the system’s path.
“The Tomcat installer for Windows used icacls.exe without specifying a full path. This enabled a side-loading vulnerability,” reads the advisory.
While the severity is rated low, enterprise environments where installer tampering is possible should take action.
CVE-2025-49125 – Security Constraint Bypass in Pre/PostResources
When web applications use PreResources or PostResources mounted outside the root, Apache Tomcat could allow unintended access via alternate paths. These paths may not be protected by the same security constraints, leading to authorization bypass.
“It was possible to access those resources via an unexpected path… allowing those security constraints to be bypassed,” the advisory states.
This flaw is rated moderate and may affect any Tomcat deployment relying on resource mounting for access control.
Patch Now
All four vulnerabilities are resolved in the following patched versions:
Related Posts:
- Apache Tomcat Under Attack: Massive Brute-Force Campaign Targets Manager Interfaces
- Tomcat Flaw CVE-2025-24813 Exploited in the Wild, PoC Released
- Cracked Software: A Gateway to Malware and Data Theft
- CVE-2025-24813 Flaw in Apache Tomcat Exposes Servers to RCE, Data Leaks: Update Immediately
- Microsoft Announces Critical Change to .NET Installer Distribution Domains
Donate