Apache

Security Advisory

Apache Tomcat Vulnerabilities Expose Systems to DoS & Authentication Bypass  

Security Advisory; Summary

Multiple vulnerabilities have been identified in Apache Tomcat affecting various versions and critical security updates provided to address four newly discovered vulnerabilities in Apache Tomcat. The disclosed Apache Tomcat vulnerabilities pose serious threats, especially in high-availability or internet-exposed environments.

Apache Tomcat is one of the world’s most widely used open-source Java servlet containers.

OEM Apache 
Severity High 
CVSS Score 8.4 
CVEs CVE-2025-48976, CVE-2025-48988, CVE-2025-49125, CVE-2025-49124 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

The affected versions 9.0.x, 10.1.x and 11.0.x, also include high-impact denial-of-service (DoS) vulnerabilities and a moderate authentication bypass flaw as well as a Windows installer issue that may allow privilege escalation via side-loading. 

Timely patching is essential to prevent potential service disruptions and unauthorized access. 

Vulnerability Name CVE ID Product Affected Severity 
​Memory Exhaustion via Multipart Header Exploitation  CVE-2025-48976 Apache Tomcat  High 
Multipart Upload Resource Exhaustion  CVE-2025-48988 Apache Tomcat  High 
Security Constraint Bypass (Pre/PostResources)  CVE-2025-49125 Apache Tomcat  High 
Windows Installer Side-Loading Risk  CVE-2025-49124 Apache Tomcat  High 

Technical Summary 

The vulnerabilities affect Tomcat’s handling of multipart HTTP requests, resource mounting and Windows installation process. Exploitation may result in denial-of-service (via memory exhaustion), privilege escalation (via installer abuse) and authentication bypass. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-48976 Apache Tomcat 9.0.0.M1–9.0.105, 10.1.0-M1–10.1.41, 11.0.0-M1–11.0.7 Fixed memory allocation limit in multipart header processing could be exploited to consume memory and cause DoS.  Denial-of-service attack. 
  CVE-2025-48988 Apache Tomcat 9.0.0.M1–9.0.105, 10.1.0-M1–10.1.41, 11.0.0-M1–11.0.7 Multipart request body with many parts can trigger high memory usage due to improper limit handling between parameters and parts.  Denial-of-service attack. 
  CVE-2025-49125  Tomcat with Pre/Post Resources enabled Lack of resource path normalization allows attackers to access resources outside root bypassing auth controls. Authentication and Authorization Bypass. 
  CVE-2025-49124  Tomcat Windows Installers Installer invoked icacls.exe without full path, making it vulnerable to side-loading attacks via PATH manipulation. Privilege Escalation. 

Remediation

Update Immediately: Users of the affected versions should apply one of the following mitigations. 

  • Upgrade to Apache Tomcat 11.0.8 or later 
  • Upgrade to Apache Tomcat 10.1.42 or later   
  • Upgrade to Apache Tomcat 9.0.106 or later 

Conclusion: 

Attackers could exploit these flaws to cause denial-of-service, escalate privileges or bypass authentication and authorization controls. 

The Apache Software Foundation credits the TERASOLUNA Framework Security Team of NTT DATA Group Corporation and T. Doğa Gelişli for identifying these issues.

Tomcat is widely used in enterprise and cloud environments, prompt patching is essential to prevent potential exploitation, service outages, or unauthorized access.

References

  • https://lists.apache.org/thread/0jwb3d3sjyfk5m6xnnj7h9m7ngxz23db 

Security Advisory

Apache Parquet Java Vulnerability Enables Remote Code Execution via Avro Schema 

Summary Security Advisory:

A high-severity remote code execution (RCE) has been identified in Apache Parquet Java, specifically within the parquet-avro module. Discovered by Apache contributor Gang Wu, this vulnerability affects all versions up to and including 1.15.1 and can allow attackers to execute arbitrary code when a system processes a specially crafted Parquet file. The issue is fixed in version 1.15.2. 

OEM Apache 
Severity High 
CVSS Score Not Available 
CVEs CVE-2025-46762 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Apache Parquet is an open-source, columnar storage format designed for efficient data processing, widely used by big data platforms and organizations engaged in data engineering and analytics.

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Remote Code Execution vulnerability  CVE-2025-46762 Apache Parquet Java  High  1.15.2 

Technical Summary 

CVE-2025-46762 arises from insecure schema parsing logic in the parquet-avro module of Apache Parquet Java. When the application uses the “specific” or “reflect” Avro data models to read a Parquet file, malicious actors can inject specially crafted metadata into the Avro schema portion of the file.

Upon deserialization, the system may inadvertently execute code from Java classes listed in the default trusted packages (e.g., java.util), resulting in remote code execution. The vulnerability is not present when using the safer “generic” Avro model. 

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-46762  Apache Parquet Java ≤1.15.1 Insecure deserialization in the parquet-avro module allows execution of arbitrary Java classes when processing Parquet files with embedded malicious Avro schemas. The issue is exploitable only when using the “specific” or “reflect” data models, and relies on the presence of pre-approved trusted packages like java.util.  Remote Code Execution (RCE), potential supply chain compromise, unauthorized code execution. 

Conditions for Exploitation: 

  • Applications must use parquet-avro to read Parquet files. 
  • The Avro “specific” or “reflect” deserialization models are used (not “generic”). 
  • Attacker-supplied or untrusted Parquet files are processed by the system. 

This creates significant risk in data processing environments such as Apache Spark, Flink, and Hadoop, where external Parquet files are commonly ingested. 

Remediation

  • Upgrade to Apache Parquet Java version 1.15.2: This version addresses the vulnerability by tightening controls around trusted packages and blocking unsafe deserialization. 
  • For users unable to upgrade immediately: apply the following JVM system property to disable trusted package deserialization: 

-Dorg.apache.parquet.avro.SERIALIZABLE_PACKAGES=”” 

Conclusion: 
CVE-2025-46762 presents a significant RCE threat within big data ecosystems that use Apache Parquet Java with the parquet-avro module. Systems relying on unsafe deserialization patterns are especially at risk. Prompt patching or configuration hardening is strongly recommended to safeguard against exploitation. 

References

Security Advisory

Critical Session Management Vulnerability in Apache Roller 

Summary Security Advisory

Apache Roller, a widely used Java-based blogging platform, enabling users to create, manage, and publish blog content. It supports features like user authentication, content management, and customizable themes.

OEM Apache 
Severity Critical 
CVSS Score 10.0 
CVEs CVE-2025-24859 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

A critical security vulnerability (CVE-2025-24859) has been discovered in Apache Roller (versions 1.0.0 to 6.1.4), where old sessions are not invalidated after a password change, allowing attackers to maintain unauthorized access if they have stolen a session token. This flaw poses a significant risk of session hijacking and unauthorized access, and users are advised to upgrade to version 6.1.5 to mitigate the issue. 

Vulnerability Name CVE ID Product Affected Severity 
Insufficient Session Expiration on Password Change CVE-2025-24859 Apache Roller Critical 

Technical Summary 

The vulnerability centers on insufficient session expiration.

When a user or administrator changes a password, Apache Roller versions before 6.1.5 do not properly invalidate existing sessions.

As a result, any session tokens  before the password change remain valid.

This means that if an attacker has already compromised a user’s credentials and established a session, they can continue to access the application even after the password is updated, effectively bypassing a key security control.

This can be a big security threat, particularly in systems used by many users or administrators, where it’s important to keep sessions secure. 

CVE ID System Affected Vulnerability Details Impact 
 CVE-2025-24859  Apache Roller 1.0.0 – 6.1.4 Sessions are not invalidated after password change, allowing persistent access through old sessions if compromised.  Unauthorized Access /  Session Hijacking 

Remediation

  • Apply Patches Promptly: Upgrade immediately to Apache Roller version 6.1.5, which implements proper centralized session invalidation. 

Conclusion: 

CVE-2025-24859 represents a critical access control threat to Apache Roller implementations.

Although no active exploitation has been observed still now, it’s easy for attackers to misuse sessions if they gain access. Its important for organizations using Apache Roller to quickly update to version 6.1.5 to fix this problem. 

This is a critical step in maintaining the security of blog sites and protecting user data.

CVE-2025-24859 highlights the importance of robust session management in web applications.

References

Security Advisory

Apache NiFi Security Flaw Exposes MongoDB Credentials 

Security Advisory

A security vulnerability, CVE-2025-27017, has been identified in Apache NiFi.

These events retain usernames/passwords used for MongoDB authentication, violating credential isolation principles.

OEM Apache 
Severity Medium 
CVSS 6.9 
CVEs CVE-2025-27017 
Exploited in Wild No 
Patch/Remediation Available Yes 
Advisory Version 1.0 

Overview 

A widely used data flow automation tool which allows unauthorized access to MongoDB credentials stored in provenance events. The Versions are affected from v1.13.0 to v2.2.0. In v2.3.0 the issue has been addressed. 

Vulnerability Name CVE ID Product Affected Severity 
 Apache NiFi Credential Exposure  CVE-2025-27017  Apache NiFi  Medium 

Technical Summary 

The vulnerability stems from Apache NiFi’s inclusion of MongoDB usernames and passwords in provenance event records.

Any authorized user with read access to these records can extract credentials information, leading to potential unauthorized access to MongoDB databases.  

CVE ID System Affected Vulnerability Details Impact 
  CVE-2025-27017   Apache NiFi 1.13.0 – 2.2.0   MongoDB credentials are stored in provenance events, allowing unauthorized extraction by users with read access.  Unauthorized access to MongoDB databases, potential data breaches.  

Remediation

  • Upgrade to Apache NiFi 2.3.0: The latest version removes credentials from provenance events, mitigating the vulnerability. 

General Recommendations: 

  • Restrict access to provenance data: Ensure only authorized personnel can view provenance records. 
  • Rotate MongoDB credentials: If affected versions were in use, change database credentials to prevent unauthorized access. 
  • Conduct security audits: Regularly review system logs and access controls to identify any unauthorized access attempts. 

Conclusion: 

This vulnerability poses a risk to organizations using Apache NiFi for data processing workflows involving MongoDB. Immediate action is recommended to upgrade to version 2.3.0 or later, restrict access to provenance data, and rotate credentials to mitigate any potential exposure. Organizations should implement stringent security measures to protect against similar vulnerabilities in the future.

This security flaw is particularly concerning because provenance events play a crucial role in auditing and monitoring data flows within NiFi. If left unpatched, this vulnerability could result in data breaches, unauthorized modifications, or even complete database compromise.

References: 

Security Advisory

Critical Apache Tomcat Vulnerabilities Allow RCE & DoS

Summary

OEMApache
SeverityCritical
CVSS9.8
CVEsCVE-2024-50379, CVE-2024-54677
Exploited in WildYes
Patch/Remediation AvailableYes
Advisory Version1.0

Overview

Recent vulnerabilities in Apache Tomcat, identified as CVE-2024-50379 and CVE-2024-54677, present significant security threats, including remote code execution (RCE) and denial-of-service (DoS) risks. CVE-2024-50379 exploits a race condition during JSP compilation on case-insensitive file systems, enabling attackers to run arbitrary code. CVE-2024-54677 takes advantage of unlimited file uploads in example applications to trigger resource exhaustion.

Vulnerability NameCVE IDProduct AffectedSeverityAffected Version
Race Condition Vulnerability CVE-2024-50379ApacheCriticalApache Tomcat 11.0.0-M1 to 11.0.1 Apache Tomcat 10.1.0-M1 to 10.1.33 Apache Tomcat 9.0.0.M1 to 9.0.97
Uncontrolled Resource Consumption Vulnerability CVE-2024-54677ApacheMediumApache Tomcat 11.0.0-M1 to 11.0.1 Apache Tomcat 10.1.0-M1 to 10.1.33 Apache Tomcat 9.0.0.M1 to 9.0.97

Technical Summary

CVE IDSystem AffectedVulnerability DetailsImpact
CVE-2024-50379Apache TomcatA race condition during JSP compilation in Apache Tomcat allows attackers to upload malicious JSP files, leading to remote code execution. This occurs when the default servlet is configured with write permissions on a case-insensitive file system.    Remote Code Execution
CVE-2024-54677Apache TomcatThe examples web application in Apache Tomcat does not limit the size of uploaded data, enabling attackers to cause an OutOfMemoryError by uploading excessive amounts of data, leading to a denial of service.    Denial of Service

Remediation:

  • Upgrade Apache Tomcat to the latest fixed versions:
    • Apache Tomcat 11.0.2 or latest
    • Apache Tomcat 10.1.34 or latest
    • Apache Tomcat 9.0.98 or latest

Recommendations:

  • Configuration Hardening:
    • Restrict write permissions for the default servlet to prevent unauthorized JSP file uploads.
    • Remove or disable example applications to reduce exposure to potential attacks.
  • Monitor and Audit:
    • Regularly review server logs for signs of exploitation attempts.
    • Apply a robust file upload policy to limit sizes and validate content.
  • Regularly update all your software’s to address security vulnerabilities 

References:

Scroll to top