Apache Tomcat, the widely used open-source Java servlet container, disclosed four security vulnerabilities on June 16, 2025, including two high-severity denial-of-service (DoS) vulnerabilities and a moderate-risk authentication bypass issue.
The vulnerabilities affect all major Tomcat branches (versions 9.x, 10.x, and 11.x), potentially exposing millions of web applications to exploitation.
Administrators must upgrade to patched versions (9.0.106, 10.1.42, or 11.0.8) immediately to mitigate risks.
The first vulnerability stems from Apache Commons FileUpload’s hard-coded 10kB limit for individual part headers in multipart requests.
Attackers could craft requests containing thousands of parts with oversized headers, forcing servers to allocate excessive memory.
The second vulnerability arises from Tomcat’s shared configuration limit for both request parameters and multipart parts.
Since each part includes headers and metadata, processing numerous small parts consumes disproportionate memory compared to standard parameters.
Apache’s patch introduces two new configuration parameters: maxPartHeaderSize (default 512 bytes) to control header size per part, and maxPartCount (default 10 parts) to limit total parts in a request.
These changes reduce default memory allocation by 95% for multipart processing.
Two interrelated vulnerabilities (CVE-2025-48976 and CVE-2025-48988) enable memory exhaustion attacks through malicious multipart/form-data requests.
The TERASOLUNA Framework Security Team at NTT DATA discovered these vulnerabilities during stress testing of file upload functionalities in distributed systems.
Apache Tomcat Vulnerabilities
CVE-2025-49125 exposes a critical misconfiguration in Tomcat’s handling of PreResources and PostResources—components used to overlay static content before or after web application deployment.
When these resources were mounted at non-root paths (e.g., /internal/config), attackers could access them via alternate URL paths that bypassed security constraints like role-based authentication or IP whitelisting.
For example, a resource mapped to /admin/dashboard might remain accessible through /internal/../admin/dashboard if not properly sanitized.
Researcher Greg K demonstrated how this path traversal vulnerability could leak sensitive configuration files or administrative interfaces.
The vulnerability particularly impacts organizations using Tomcat’s programmable configuration overlay features for multi-tenant environments.
The DoS vulnerabilities (CVE-2025-48976/488) pose immediate risks to application availability, while the constraint bypass (CVE-2025-49125) threatens data confidentiality.
Patched versions enforce strict path normalization before applying security constraints.
Windows Installer Vulnerability
While classified as low severity, CVE-2025-49124 reveals a path hijacking risk in Tomcat’s Windows installer.
The installation process invoked icacls.exe—a built-in ACL management tool—without specifying its absolute path (C:\Windows\System32\icacls.exe).
Attackers could place a malicious executable named icacls.exe in directories preceding System32 in the PATH environment variable, triggering arbitrary code execution during installation.
Security engineer T. Doğa Gelişli identified this oversight, noting that privileged users performing installations are especially vulnerable.
Though exploitation requires local access, the vulnerability highlights broader supply chain risks in open-source installation workflows.
These vulnerabilities collectively underscore the importance of proactive server maintenance.
Administrators should prioritize upgrades and review configuration limits for multipart processing.
Apache’s coordinated patch release across all active Tomcat branches demonstrates the severity of these issues—a stark reminder that even mature frameworks require constant vigilance in evolving threat landscapes.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?w=356&resize=356,220&ssl=1 "Microsoft Teams Blocking Users from Accessing Embedded Office Documents")
