CVE-2025-48988 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Medium
Remote	Yes
Type	Denial of service
Description	Tomcat used the same limit for both request parameters and parts in a multipart request. Since uploaded parts also include headers which must be retained, processing multipart requests can result in significantly more memory usage. A specially crafted request that used a large number of parts could trigger excessive memory usage leading to a DoS. The maximum number of parts is now configurable (maxPartCount on the Connector) with a default of 10 parts.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-2889	tomcat9	9.0.100-1		High	Vulnerable
AVG-2888	tomcat10	10.1.40-1		High	Vulnerable

References
https://lists.apache.org/thread/nzkqsok8t42qofgqfmck536mtyzygp18 https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.106 https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.42 https://github.com/apache/tomcat/commit/ee8042ffce4cb9324dfd79efda5984f37bbb6910

References

https://lists.apache.org/thread/nzkqsok8t42qofgqfmck536mtyzygp18
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.106
https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.42
https://github.com/apache/tomcat/commit/ee8042ffce4cb9324dfd79efda5984f37bbb6910