CVE-2025-48976 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Medium
Remote	Yes
Type	Denial of service
Description	Apache Commons FileUpload provided a hard-coded limit of 10kB for the size of the headers associated with a multipart request. A specially crafted request that used a large number of parts with large headers could trigger excessive memory usage leading to a DoS. This limit is now configurable (maxPartHeaderSize on the Connector) with a default of 512 bytes.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-2889	tomcat9	9.0.100-1		High	Vulnerable
AVG-2888	tomcat10	10.1.40-1		High	Vulnerable

References
https://lists.apache.org/thread/nzkqsok8t42qofgqfmck536mtyzygp18 https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.106 https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.42 https://github.com/apache/tomcat/commit/97790a35a27d236fa053e660676c3f8196284d93

References

https://lists.apache.org/thread/nzkqsok8t42qofgqfmck536mtyzygp18
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.106
https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.42
https://github.com/apache/tomcat/commit/97790a35a27d236fa053e660676c3f8196284d93