BIT-tomcat-2025-48989
Improper Resource Shutdown or Release vulnerability in tomcat-coyote (Maven)
What is BIT-tomcat-2025-48989 About?
Apache Tomcat is vulnerable to the 'made you reset' attack due to improper resource shutdown or release. This flaw affects multiple versions, potentially leading to denial of service or other service disruptions. Users are advised to upgrade to patched versions.
Affected Software
- org.apache.tomcat:tomcat-coyote
- >9.0.0.M1, <9.0.108
- >10.1.0-M1, <10.1.44
- >11.0.0-M1, <11.0.10
- org.apache.tomcat.embed:tomcat-embed-core
- >9.0.0.M1, <9.0.108
- >10.1.0-M1, <10.1.44
- >11.0.0-M1, <11.0.10
Technical Details
The 'made you reset' attack in Apache Tomcat stems from an Improper Resource Shutdown or Release vulnerability. This means that certain resources, once allocated or opened by Tomcat, are not properly closed, released, or cleared under specific conditions. While the precise mechanism of the 'made you reset' attack is not detailed here, such vulnerabilities typically involve a resource leak or an incorrect state management after a connection or operation ends. This can lead to resource exhaustion over time, or allow an attacker to force a reset of a connection or resource by exploiting the improper handling, causing disruption to legitimate users or processes. This issue affects various versions of Apache Tomcat across different release lines (11.x, 10.1.x, 9.0.x).
What is the Impact of BIT-tomcat-2025-48989?
Successful exploitation may allow attackers to cause client connection resets, disrupt service availability, or lead to resource exhaustion on the server over time.
What is the Exploitability of BIT-tomcat-2025-48989?
Exploitation of this vulnerability likely involves crafting specific requests or sequences of interactions with the Apache Tomcat server to trigger the improper resource shutdown or release. This is typically a remote attack and may or may not require authentication, depending on the specific resource being mishandled. The complexity can vary; some resource handling issues are easy to trigger with malformed requests, while others might require sophisticated timing or an understanding of internal server state. No specific privileges beyond network access to the Tomcat instance are generally required. The risk factors include direct exposure of the Tomcat server to untrusted networks and the nature of the application running on Tomcat, which could potentially exacerbate the resource utilization issues.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-tomcat-2025-48989?
Available Upgrade Options
- org.apache.tomcat:tomcat-coyote
- >9.0.0.M1, <9.0.108 → Upgrade to 9.0.108
- org.apache.tomcat:tomcat-coyote
- >10.1.0-M1, <10.1.44 → Upgrade to 10.1.44
- org.apache.tomcat:tomcat-coyote
- >11.0.0-M1, <11.0.10 → Upgrade to 11.0.10
- org.apache.tomcat.embed:tomcat-embed-core
- >9.0.0.M1, <9.0.108 → Upgrade to 9.0.108
- org.apache.tomcat.embed:tomcat-embed-core
- >10.1.0-M1, <10.1.44 → Upgrade to 10.1.44
- org.apache.tomcat.embed:tomcat-embed-core
- >11.0.0-M1, <11.0.10 → Upgrade to 11.0.10
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/apache/tomcat/commit/f362c8eb3b8ec5b7f312f7f5610731c0fb299a06
- https://osv.dev/vulnerability/GHSA-gqp3-2cvr-x8m3
- https://github.com/apache/tomcat/commit/f36b8a4eea4ce8a0bc035079e1d259d29f5eb7bf
- https://github.com/apache/tomcat
- https://tomcat.apache.org/security-11.html
- https://nvd.nist.gov/vuln/detail/CVE-2025-48989
- https://lists.apache.org/thread/9ydfg0xr0tchmglcprhxgwhj0hfwxlyf
- https://tomcat.apache.org/security-9.html
- https://github.com/apache/tomcat/commit/73c04a10395774bda71a0b37802cf983662ce255
- https://lists.apache.org/thread/9ydfg0xr0tchmglcprhxgwhj0hfwxlyf
What are Similar Vulnerabilities to BIT-tomcat-2025-48989?
Similar Vulnerabilities: CVE-2023-46681 , CVE-2023-34032 , CVE-2023-28849 , CVE-2024-21010 , CVE-2023-49033
