BIT-tomcat-2025-48988
Allocation of Resources Without Limits or Throttling vulnerability in tomcat-embed-core (Maven)
What is BIT-tomcat-2025-48988 About?
This vulnerability in Apache Tomcat is an Allocation of Resources Without Limits or Throttling issue, which can lead to resource exhaustion. When exploited, it can cause a denial of service for legitimate users. Exploitation is relatively easy if an attacker can trigger the resource allocation without proper limits.
Affected Software
- org.apache.tomcat:tomcat-catalina
- >8.5.0, <=8.5.100
- >11.0.0-M1, <11.0.8
- >9.0.0.M1, <9.0.106
- >10.1.0-M1, <10.1.42
- org.apache.tomcat.embed:tomcat-embed-core
- >8.5.0, <=8.5.100
- >11.0.0-M1, <11.0.8
- >9.0.0.M1, <9.0.106
- >10.1.0-M1, <10.1.42
Technical Details
The Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat (versions from 11.0.0-M1 through 11.0.7, 10.1.0-M1 through 10.1.41, and 9.0.0.M1 through 9.0.105, as well as older EOL versions like 8.5.0 through 8.5.100) arises from the server's inability to properly limit or throttle specific resource allocations. An attacker can repeatedly request or trigger certain operations that consume an unbounded amount of resources (e.g., memory, CPU, or open file descriptors) without any mechanisms in place to prevent exhaustion. This could involve, for instance, sending a large number of concurrent requests, or crafting requests that cause an expensive internal process to be initiated repeatedly without resource checks. As these resources are consumed, the server becomes unresponsive to legitimate requests, leading to a denial-of-service condition.
What is the Impact of BIT-tomcat-2025-48988?
Successful exploitation may allow attackers to exhaust system resources, leading to a denial of service for legitimate users and impacting the availability of the affected system.
What is the Exploitability of BIT-tomcat-2025-48988?
Exploitation of this vulnerability is generally low to medium complexity. Prerequisites depend on the specific resource being exhausted but typically involve the ability to send requests to the vulnerable Tomcat instance. Authentication is often not required, as many resource exhaustion attacks target publicly accessible services; however, if the vulnerable endpoint requires authentication, then authenticated access would be a prerequisite. Privilege requirements are low, as the goal is to consume resources, not to gain elevated privileges on the system. This is primarily a remote vulnerability. Special conditions might involve knowing which specific functions or endpoints trigger uncontrolled resource allocation. Risk factors that increase exploitation likelihood include publicly exposed Tomcat instances, insufficient rate limiting, and lack of resource monitoring or quotas on the server.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| Samb102 | Link | PoC for CVE-2025-48988 |
What are the Available Fixes for BIT-tomcat-2025-48988?
About the Fix from Resolved Security
This patch introduces limits on both the number of parts in a multipart/form-data request and the size of each part’s headers, rejecting requests that exceed those thresholds. By allowing configuration of maxPartCount and maxPartHeaderSize, it mitigates resource exhaustion attacks described in CVE-2025-48988, where an attacker could submit multipart requests with excessive parts or large headers to trigger denial of service.
Available Upgrade Options
- org.apache.tomcat.embed:tomcat-embed-core
- >9.0.0.M1, <9.0.106 → Upgrade to 9.0.106
- org.apache.tomcat.embed:tomcat-embed-core
- >10.1.0-M1, <10.1.42 → Upgrade to 10.1.42
- org.apache.tomcat.embed:tomcat-embed-core
- >11.0.0-M1, <11.0.8 → Upgrade to 11.0.8
- org.apache.tomcat:tomcat-catalina
- >9.0.0.M1, <9.0.106 → Upgrade to 9.0.106
- org.apache.tomcat:tomcat-catalina
- >10.1.0-M1, <10.1.42 → Upgrade to 10.1.42
- org.apache.tomcat:tomcat-catalina
- >11.0.0-M1, <11.0.8 → Upgrade to 11.0.8
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-h3gc-qfqq-6h8f
- http://www.openwall.com/lists/oss-security/2025/06/16/1
- http://www.openwall.com/lists/oss-security/2025/06/16/1
- https://github.com/apache/tomcat/commit/2b0ab14fb55d4edc896e5f1817f2ab76f714ae5e
- https://github.com/apache/tomcat
- https://nvd.nist.gov/vuln/detail/CVE-2025-48988
- https://tomcat.apache.org/security-11.html
- https://github.com/apache/tomcat/commit/ee8042ffce4cb9324dfd79efda5984f37bbb6910
- https://lists.apache.org/thread/nzkqsok8t42qofgqfmck536mtyzygp18
- https://lists.apache.org/thread/nzkqsok8t42qofgqfmck536mtyzygp18
What are Similar Vulnerabilities to BIT-tomcat-2025-48988?
Similar Vulnerabilities: CVE-2023-44673 , CVE-2022-42289 , CVE-2022-45047 , CVE-2021-44757 , CVE-2020-13936
