Apache Tomcat
Moderate fix3 remedies
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*, +1 more
Moderate fix3 remedies
- >= 11.0.0-M1, <= 11.0.11
- >= 10.1.0-M1, <= 10.1.46
- >= 9.0.0.M1, <= 9.0.109
Apache Tomcat Improper Resource Shutdown Vulnerability in Multipart Upload Processing Leading to Denial-of-Service
Vulnerability
Patched
A denial-of-service vulnerability has been identified in Apache Tomcat versions 11.0.0-M1 prior to 11.0.11, 10.1.0-M1 prior to 10.1.46, and 9.0.0-M1 prior to 9.0.109. This issue arises from improper resource management during multipart file uploads. When an error occurred, such as exceeding upload limits, temporary files created from the uploaded parts were not immediately deleted. Instead, they were left for the garbage collection process to remove. Depending on Java Virtual Machine (JVM) settings, application memory usage, and load, the temporary files could accumulate faster than they were cleared by garbage collection, potentially leading to a denial-of-service condition.
Impact
Exploitation of this vulnerability could result in a denial-of-service condition, where the application becomes unresponsive or unavailable due to excessive memory usage from uncollected temporary files.
Remediation
Users are advised to upgrade to Apache Tomcat 11.0.12 or later, 10.1.47 or later, or 9.0.110 or later.
Added: Oct 27, 2025, 6:16 PM
Updated: Oct 27, 2025, 7:32 PM
Vulnerability Rating
Custom Algorithm
spread
8.8impact
2.5exploitability
7.6remediation
7.7relevance
0.8threat
0.0urgency
2.9incentive
5.8Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.