The Apache Software Foundation (ASF) has issued vital security patches for Apache Tomcat, addressing four newly discovered vulnerabilities that could lead to authentication bypasses and denial-of-service (DoS) attacks. Apache Tomcat is an open-source web server and servlet container hosting Java-based web applications used by large enterprises and SaaS providers.
One of the primary vulnerabilities, identified as CVE-2025-48976, involves a flaw in Apache Commons FileUpload. Previously, this component had a fixed limit of 10kB for multipart header sizes. Cyber attackers could exploit this by sending requests with multiple multipart headers, which would consume excessive memory and potentially disrupt service through a DoS attack. The latest patch introduces a configurable maxPartHeaderSize attribute, now set to a default of 512 bytes, to mitigate this risk.
Apache Tomcat security risks
Another critical issue, CVE-2025-48988, relates to the handling of multipart uploads in Tomcat. The previous system did not effectively differentiate between request parameters and multipart parts, leading to increased memory usage during request processing. This flaw could be exploited to flood servers with multipart requests, exhausting memory resources and causing DoS. According to ASF, the update now allows administrators to define a maxPartCount, defaulting to ten parts, significantly decreasing the likelihood of DoS attacks via multipart upload abuse.
Additionally, CVE-2025-49124 addresses a side-loading vulnerability in the Tomcat installer on Windows platforms. The installer previously invoked icacls.exe without a full path, creating an opportunity for side-loading attacks if a malicious executable with the same name was present in the system path. The update is intended to enable the installer to use a fully qualified path to icacls.exe, thus closing this security gap.
CVE-2025-49125 is a moderate-severity issue affecting deployments using PreResources or PostResources outside the web application root. This flaw allowed access to resources via unexpected paths, potentially bypassing the security constraints intended to protect them. The patch corrects resource path handling to ensure consistent security protections are applied to all paths.
Users advised to move to new versions of Apache Tomcat
Administrators have been advised to upgrade to the latest versions of Apache Tomcat—either 11.0.8, 10.1.42, or 9.0.106—based on their current deployment version. These updates are crucial to address the identified vulnerabilities and safeguard systems against potential exploitation.
The ASF has credited the TERASOLUNA Framework Security Team of NTT DATA Group Corporation, T. Doğa Gelişli and Greg K for their role in identifying these vulnerabilities.
Apache Tomcat’s extensive deployment across enterprise and cloud environments makes it essential for users to implement these patches promptly. Ensuring that systems are up-to-date will help prevent unauthorised access, service interruptions, and other security breaches.
ASF periodically issues security patches to address discovered vulnerabilities. In December 2024, it released critical security patches for three major software solutions to resolve vulnerabilities such as remote code execution (RCE), authentication bypass, and SQL injection.
Read more: Hackers exploit critical file upload flaw in Apache Struts framework
