Home
Packages
Forums
Wiki
GitLab
Security
AUR
Download

issues
advisories
todo
stats
log
login

CVE-2025-48976 - log back

CVE-2025-48976 edited at 18 Jun 2025 22:53:58

References

	https://lists.apache.org/thread/nzkqsok8t42qofgqfmck536mtyzygp18
	https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.106
+	https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.42
	https://github.com/apache/tomcat/commit/97790a35a27d236fa053e660676c3f8196284d93

CVE-2025-48976 created at 18 Jun 2025 22:46:29

Severity

+

Medium

Remote

+

Remote

Type

+	Denial of service

Description

+

Apache Commons FileUpload provided a hard-coded limit of 10kB for the size of the headers associated with a multipart request. A specially crafted request that used a large number of parts with large headers could trigger excessive memory usage leading to a DoS. This limit is now configurable (maxPartHeaderSize on the Connector) with a default of 512 bytes.

References

+	https://lists.apache.org/thread/nzkqsok8t42qofgqfmck536mtyzygp18
+	https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.106
+	https://github.com/apache/tomcat/commit/97790a35a27d236fa053e660676c3f8196284d93

Notes