CVE-2025-48976
Denial of Service vulnerability in commons-fileupload (Maven)
What is CVE-2025-48976 About?
An insufficient limits vulnerability in Apache Commons FileUpload allows for excessive resource allocation during multipart header processing. This can lead to a denial-of-service condition due to resource exhaustion. This flaw is easy to exploit if an application uses affected versions of the library to process untrusted file uploads.
Affected Software
- commons-fileupload:commons-fileupload
- >1.0, <1.6.0
- org.apache.commons:commons-fileupload2-core
- >2.0.0-M1, <2.0.0-M4
Technical Details
The vulnerability in Apache Commons FileUpload stems from insufficient limits placed on resource allocation when parsing multipart headers. Specifically, when processing file uploads, the library does not adequately restrict the amount of memory or other resources that can be consumed by the headers of multipart requests. An attacker can craft a malformed or excessively large multipart header which, when processed by the vulnerable versions (from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4), causes the application to allocate an exorbitant amount of resources. This uncontrolled resource consumption leads to resource exhaustion, ultimately resulting in a denial-of-service condition where the application becomes unresponsive or crashes.
What is the Impact of CVE-2025-48976?
Successful exploitation may allow attackers to cause resource exhaustion, leading to a denial of service, rendering the affected application unresponsive or unstable.
What is the Exploitability of CVE-2025-48976?
Exploitation complexity for this vulnerability is low. It requires an application to be using an affected version of Apache Commons FileUpload and to process user-supplied multipart requests, typically for file uploads. No authentication or prior privileges are generally required, as multipart requests are often handled by publicly accessible endpoints. This is a remote attack. The attacker needs to send a specially crafted multipart request with oversized or malformed headers. The primary risk factor is the deployment of applications that accept file uploads from untrusted sources without applying the necessary updates to the FileUpload library.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| nankuo | Link | CVE-2025-48976_CVE-2025-48988 |
What are the Available Fixes for CVE-2025-48976?
About the Fix from Resolved Security
This patch introduces a default per-part header size limit of 512 bytes in file uploads and enforces it during parsing, with the ability to configure the limit via the API. By limiting the size of multipart headers, it mitigates the risk of header-related resource exhaustion attacks, thereby fixing the vulnerability CVE-2025-48976 where an attacker could previously trigger excessive memory usage or denial-of-service by sending multipart requests with excessively large headers.
Available Upgrade Options
- commons-fileupload:commons-fileupload
- >1.0, <1.6.0 → Upgrade to 1.6.0
- org.apache.commons:commons-fileupload2-core
- >2.0.0-M1, <2.0.0-M4 → Upgrade to 2.0.0-M4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2025-48976
- https://osv.dev/vulnerability/GHSA-vv7r-c36w-3prj
- https://github.com/apache/tomcat/commit/97790a35a27d236fa053e660676c3f8196284d93
- https://github.com/apache/commons-fileupload/commit/bf68f63cfb312ef4710fb3dfb4d8e4e1665f4497
- https://github.com/apache/commons-fileupload/commit/b247774a72a044f5d5380ae947140ee80af4e78b
- http://www.openwall.com/lists/oss-security/2025/06/16/4
- https://github.com/apache/commons-fileupload
- https://lists.apache.org/thread/fbs3wrr3p67vkjcxogqqqqz45pqtso12
- https://lists.apache.org/thread/fbs3wrr3p67vkjcxogqqqqz45pqtso12
- http://www.openwall.com/lists/oss-security/2025/06/16/4
What are Similar Vulnerabilities to CVE-2025-48976?
Similar Vulnerabilities: CVE-2021-44228 , CVE-2022-22965 , CVE-2023-24998 , CVE-2022-37865 , CVE-2023-20883
