Apache Tomcat Vulnerabilities Expose Systems to DoS & Authentication Bypass
Security Advisory; Summary
Multiple vulnerabilities have been identified in Apache Tomcat affecting various versions and critical security updates provided to address four newly discovered vulnerabilities in Apache Tomcat. The disclosed Apache Tomcat vulnerabilities pose serious threats, especially in high-availability or internet-exposed environments.
Apache Tomcat is one of the world’s most widely used open-source Java servlet containers.
| OEM | Apache |
| Severity | High |
| CVSS Score | 8.4 |
| CVEs | CVE-2025-48976, CVE-2025-48988, CVE-2025-49125, CVE-2025-49124 |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
The affected versions 9.0.x, 10.1.x and 11.0.x, also include high-impact denial-of-service (DoS) vulnerabilities and a moderate authentication bypass flaw as well as a Windows installer issue that may allow privilege escalation via side-loading.
Timely patching is essential to prevent potential service disruptions and unauthorized access.
| Vulnerability Name | CVE ID | Product Affected | Severity |
| Memory Exhaustion via Multipart Header Exploitation | CVE-2025-48976 | Apache Tomcat | High |
| Multipart Upload Resource Exhaustion | CVE-2025-48988 | Apache Tomcat | High |
| Security Constraint Bypass (Pre/PostResources) | CVE-2025-49125 | Apache Tomcat | High |
| Windows Installer Side-Loading Risk | CVE-2025-49124 | Apache Tomcat | High |
Technical Summary
The vulnerabilities affect Tomcat’s handling of multipart HTTP requests, resource mounting and Windows installation process. Exploitation may result in denial-of-service (via memory exhaustion), privilege escalation (via installer abuse) and authentication bypass.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-48976 | Apache Tomcat 9.0.0.M1–9.0.105, 10.1.0-M1–10.1.41, 11.0.0-M1–11.0.7 | Fixed memory allocation limit in multipart header processing could be exploited to consume memory and cause DoS. | Denial-of-service attack. |
| CVE-2025-48988 | Apache Tomcat 9.0.0.M1–9.0.105, 10.1.0-M1–10.1.41, 11.0.0-M1–11.0.7 | Multipart request body with many parts can trigger high memory usage due to improper limit handling between parameters and parts. | Denial-of-service attack. |
| CVE-2025-49125 | Tomcat with Pre/Post Resources enabled | Lack of resource path normalization allows attackers to access resources outside root bypassing auth controls. | Authentication and Authorization Bypass. |
| CVE-2025-49124 | Tomcat Windows Installers | Installer invoked icacls.exe without full path, making it vulnerable to side-loading attacks via PATH manipulation. | Privilege Escalation. |
Remediation:
Update Immediately: Users of the affected versions should apply one of the following mitigations.
- Upgrade to Apache Tomcat 11.0.8 or later
- Upgrade to Apache Tomcat 10.1.42 or later
- Upgrade to Apache Tomcat 9.0.106 or later
Conclusion:
Attackers could exploit these flaws to cause denial-of-service, escalate privileges or bypass authentication and authorization controls.
The Apache Software Foundation credits the TERASOLUNA Framework Security Team of NTT DATA Group Corporation and T. Doğa Gelişli for identifying these issues.
Tomcat is widely used in enterprise and cloud environments, prompt patching is essential to prevent potential exploitation, service outages, or unauthorized access.
References:
- https://lists.apache.org/thread/0jwb3d3sjyfk5m6xnnj7h9m7ngxz23db