CVE-2025-61795

Oct. 27, 2025, 7:16 p.m.

5.3
Medium

Description

Improper Resource Shutdown or Release vulnerability in Apache Tomcat. If an error occurred (including exceeding limits) during the processing of a multipart upload, temporary copies of the uploaded parts written to disc were not cleaned up immediately but left for the garbage collection process to delete. Depending on JVM settings, application memory usage and application load, it was possible that space for the temporary copies of uploaded parts would be filled faster than GC cleared it, leading to a DoS. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.11, from 10.1.0-M1 through 10.1.46, from 9.0.0.M1 through 9.0.109. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.12 or later, 10.1.47 or later or 9.0.110 or later which fixes the issue.

Product(s) Impacted

Vendor Product Versions
Apache
  • Tomcat
  • 11.0.0-M1, 10.1.0-M1, 9.0.0.M1, 8.5.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-404
Improper Resource Shutdown or Release
The product does not release or incorrectly releases a resource before it is made available for re-use.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a apache tomcat 11.0.0-M1 11.0.11 / / / / / /
a apache tomcat 10.1.0-M1 10.1.46 / / / / / /
a apache tomcat 9.0.0.M1 9.0.109 / / / / / /
a apache tomcat 8.5.0 8.5.100 / / / / / /

References

https://lists.apache.org/thread/wm9mx8brmx9g4zpywm06ryrtvd3160pp

Tags

security@apache.org
CWE-404
2025-10-27
CVE-2025-61795

CVSS Score

5.3 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: HIGH
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: NONE
  • Availability Impact: HIGH

    • CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

    View Vector String

Timeline

Published: Oct. 27, 2025, 6:15 p.m.
Last Modified: Oct. 27, 2025, 7:16 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security@apache.org

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.