CVE-2025-61795
Denial of Service vulnerability in tomcat (Maven)
What is CVE-2025-61795 About?
This vulnerability could lead to a denial-of-service condition in Apache Tomcat during multipart uploads. If an error or limit is exceeded, temporary uploaded files are not immediately cleaned up, which can exhaust disk space and make the service unavailable. While requiring specific conditions to occur, its exploitation is relatively simple once triggered by normal upload errors.
Affected Software
- org.apache.tomcat:tomcat
- >9.0.0.40, <9.0.110
- >11.0.0-M1, <11.0.12
- >10.1.0-M1, <10.1.47
- >8.5.60, <=8.5.100
- org.apache.tomcat:tomcat-catalina
- >9.0.0.40, <9.0.110
- >11.0.0-M1, <11.0.12
- >10.1.0-M1, <10.1.47
- >8.5.60, <=8.5.100
- org.apache.tomcat.embed:tomcat-embed-core
- >9.0.0.40, <9.0.110
- >11.0.0-M1, <11.0.12
- >10.1.0-M1, <10.1.47
- >8.5.60, <=8.5.100
Technical Details
The vulnerability exists in Apache Tomcat's handling of temporary files during multipart uploads. When an error occurs during a multipart upload operation (e.g., exceeding configured size limits, network issues during transfer), the temporary copies of the uploaded parts are written to disk but are not immediately deleted. Instead, they are left for the Java Virtual Machine's (JVM) garbage collection process to remove. Depending on several factors such as JVM settings, the application's memory usage profile, and the server's overall load concerning new multipart upload requests, these temporary files can accumulate faster than the garbage collector can reclaim the disk space. This continuous accumulation eventually leads to disk space exhaustion, resulting in a denial-of-service condition for the Tomcat instance.
What is the Impact of CVE-2025-61795?
Successful exploitation may allow attackers to cause a denial-of-service condition, leading to service unavailability, resource exhaustion, and potential instability of the affected system.
What is the Exploitability of CVE-2025-61795?
Exploitation is primarily a remote activity triggered by initiating multipart uploads. No specific authentication is required to upload files (unless the application explicitly enforces it), and no special privileges are needed. The vulnerability is not directly exploitable through a crafted payload but rather by continuously triggering multipart upload errors or limit exceedances. The complexity is low as it leverages existing, normal application functionality. The likelihood of exploitation increases in applications that frequently handle large multipart uploads, have aggressive upload limits, or are under high load, as these conditions are more likely to trigger unexpected errors and quickly fill temporary storage before garbage collection can clear it.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-61795?
About the Fix from Resolved Security
Available Upgrade Options
- org.apache.tomcat:tomcat
- >9.0.0.40, <9.0.110 → Upgrade to 9.0.110
- org.apache.tomcat:tomcat
- >10.1.0-M1, <10.1.47 → Upgrade to 10.1.47
- org.apache.tomcat:tomcat
- >11.0.0-M1, <11.0.12 → Upgrade to 11.0.12
- org.apache.tomcat:tomcat-catalina
- >9.0.0.40, <9.0.110 → Upgrade to 9.0.110
- org.apache.tomcat:tomcat-catalina
- >10.1.0-M1, <10.1.47 → Upgrade to 10.1.47
- org.apache.tomcat:tomcat-catalina
- >11.0.0-M1, <11.0.12 → Upgrade to 11.0.12
- org.apache.tomcat.embed:tomcat-embed-core
- >9.0.0.40, <9.0.110 → Upgrade to 9.0.110
- org.apache.tomcat.embed:tomcat-embed-core
- >10.1.0-M1, <10.1.47 → Upgrade to 10.1.47
- org.apache.tomcat.embed:tomcat-embed-core
- >11.0.0-M1, <11.0.12 → Upgrade to 11.0.12
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread/wm9mx8brmx9g4zpywm06ryrtvd3160pp
- https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.47
- https://nvd.nist.gov/vuln/detail/CVE-2025-61795
- https://osv.dev/vulnerability/GHSA-hgrr-935x-pq79
- https://github.com/apache/tomcat/commit/af6e9181620304c0d818121c29c074e1330610d0
- https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.12
- https://lists.apache.org/thread/wm9mx8brmx9g4zpywm06ryrtvd3160pp
- https://github.com/apache/tomcat/commit/afa422bd7ca1eef0f507259c682fd876494d9c3b
- https://github.com/apache/tomcat
- https://github.com/apache/tomcat/commit/1cdf5f730ede75a0759492f179ac21ca4ff68e06
What are Similar Vulnerabilities to CVE-2025-61795?
Similar Vulnerabilities: CVE-2023-45648 , CVE-2021-25329 , CVE-2020-13941 , CVE-2019-0221 , CVE-2017-7660
