Apache Tomcat Flaws Allow Auth Bypass and DoS Attacks
The Apache Software Foundation has released critical security updates to address four newly discovered vulnerabilities in Apache Tomcat, one of the world’s most widely used open-source Java servlet containers.
These flaws, affecting Tomcat versions 9.0, 10.1, and 11.0, expose systems to denial-of-service (DoS) attacks, privilege escalation, installer abuse, and authentication bypass, prompting urgent calls for users to update their deployments immediately.
Summary of Vulnerabilities
| CVE ID | Severity | Description | Affected Versions |
| CVE-2025-48976 | Important | DoS via Multipart Header Overload | 11.0.0-M1–11.0.7, 10.1.0-M1–10.1.41, 9.0.0.M1–9.0.105 |
| CVE-2025-48988 | Important | Multipart Upload Abuse Enables DoS | 11.0.0-M1–11.0.7, 10.1.0-M1–10.1.41, 9.0.0.M1–9.0.105 |
| CVE-2025-49124 | Low | Windows Installer Side-Loading Risk | 11.0.0-M1–11.0.7, 10.1.0–10.1.41, 9.0.23–9.0.105 |
| CVE-2025-49125 | Moderate | Security Constraint Bypass in Pre/PostResources | 11.0.0-M1–11.0.7, 10.1.0-M1–10.1.41, 9.0.0.M1–9.0.105 |
Detailed Analysis
CVE-2025-48976: DoS via Multipart Header Overload
This vulnerability stems from Apache Commons FileUpload’s previously hard-coded 10kB limit for multipart header sizes.
Attackers could exploit this vulnerability by sending requests with a large number of multipart headers, consuming excessive memory and triggering a denial-of-service attack.
The fix introduces a configurable maxPartHeaderSize attribute, defaulting to 512 bytes, to limit memory usage and prevent exploitation.
CVE-2025-48988: Multipart Upload Abuse Enables DoS
Tomcat’s earlier handling of multipart uploads did not differentiate between request parameters and multipart parts, allowing attackers to flood servers with multipart requests and exhaust memory resources. The update now allows administrators to set a maxPartCount (default: 10 parts), significantly reducing the risk of DoS attacks from multipart upload abuse.
CVE-2025-49124: Windows Installer Side-Loading Risk
On Windows, the Tomcat installer invoked icacls.exe without specifying a full path, opening the door for side-loading attacks if a malicious executable with the same name existed in the system path.
While the risk is rated low, this issue could be exploited in environments where installer tampering is possible. The fix ensures the installer now uses a fully qualified path to icacls.exe.
CVE-2025-49125: Security Constraint Bypass in Pre/PostResources
This moderate-severity flaw affects deployments using PreResources or PostResources mounted outside the web application root.
Attackers could access these resources via alternate paths not protected by the intended security constraints, potentially bypassing authentication or authorization checks. The patch corrects resource path handling to ensure all paths are equally protected.
Administrators are strongly advised to upgrade to Apache Tomcat 11.0.8, 10.1.42, or 9.0.106, depending on their deployment version, to address all four vulnerabilities.
The Apache Software Foundation credits the TERASOLUNA Framework Security Team of NTT DATA Group Corporation and T. Doğa Gelişli for identifying these issues.
With Tomcat’s widespread use in enterprise and cloud environments, prompt patching is essential to prevent potential exploitation, service outages, or unauthorized access.