CVE-2025-61795 Apache Tomcat - Delayed cleaning of multipart upload
temporary files may lead to DoS
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.11
Apache Tomcat 10.1.0-M1 to 10.1.46
Apache Tomcat 9.0.0.M1 to 9.0.109
Older, EOL versions may also be affected
Description:
If an error occurred (including exceeding limits) during the processing
of a multipart upload, temporary copies of the uploaded parts written to
local storage were not cleaned up immediately but left for the garbage
collection process to delete. Depending on JVM settings, application
memory usage and application load, it was possible that space for the
temporary copies of uploaded parts would be filled faster than GC
cleared it, leading to a DoS.
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 11.0.12 or later
- Upgrade to Apache Tomcat 10.1.47 or later
- Upgrade to Apache Tomcat 9.0.110 or later
Credit:
sw0rd1ight (https://github.com/sw0rd1ight)
History:
2025-10-27 Original advisory
References:
[1] https://tomcat.apache.org/security-11.html
[2] https://tomcat.apache.org/security-10.html
[3] https://tomcat.apache.org/security-9.html
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
