CVE-2025-48989 Apache Tomcat - DoS in HTTP/2 - Made You Reset
Severity: High
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.9
Apache Tomcat 10.1.0-M1 to 10.1.43
Apache Tomcat 9.0.0.M1 to 9.0.107
Older, EOL versions may also be affected
Description:
Tomcat's HTTP/2 implementation was vulnerable to the made you reset
attack. The denial of service typically manifested as an OutOfMemoryError.
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 11.0.10 or later
- Upgrade to Apache Tomcat 10.1.44 or later
- Upgrade to Apache Tomcat 9.0.108 or later
Credit:
The vulnerability was identified by Gal Bar Nahum, Anat Bremler-Barr,
and Yaniv Harel of Tel Aviv University
History:
2025-08-13 Original advisory
References:
[1] https://tomcat.apache.org/security-11.html
[2] https://tomcat.apache.org/security-10.html
[3] https://tomcat.apache.org/security-9.html
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
