Apache Tomcat Vulnerabilities Let Attackers Bypass Authentication & Trigger DoS Attacks

Multiple critical security vulnerabilities affecting Apache Tomcat web servers, including two high-severity flaws enabling denial-of-service (DoS) attacks and one moderate-severity vulnerability allowing authentication bypass. 

These vulnerabilities, identified as CVE-2025-48976, CVE-2025-48988, CVE-2025-49124, and CVE-2025-49125, impact millions of web applications worldwide running on affected Tomcat versions spanning from 9.0.x to 11.0.x series. 

The vulnerabilities were reported on June 16, 2025, by security researcher Mark Thomas, with immediate patches available across all affected version branches.

CVE-2025-48976: Memory Exhaustion via Multipart Header Exploitation

The CVE-2025-48976 vulnerability stems from a fixed memory allocation limitation in Apache Commons FileUpload, a component integral to Tomcat’s multipart request processing. 

Prior to patching, the library enforced a hard-coded 10kB limit for individual part headers within multipart requests. Attackers could craft requests containing numerous parts with headers approaching this limit, forcing Tomcat to allocate excessive memory proportional to the number of parts. 

For instance, a request containing 1,000 parts would consume approximately 10MB of memory solely for headers, potentially triggering out-of-memory errors and service disruption. 

Affected versions include Tomcat 9.0.0.M1–9.0.105, 10.1.0-M1–10.1.41, and 11.0.0-M1–11.0.7.

CVE-2025-48988: Multipart Upload Resource Exhaustion

CVE-2025-48988 exploits Tomcat’s failure to differentiate between request parameters and multipart parts when enforcing size limits. 

Unlike standard parameters, multipart parts include headers that persist in memory throughout request processing. 

Attackers could send requests with a high part count (e.g., 10,000 parts), each with minimal payload but headers consuming ~500 bytes. This would allocate ~5MB per request, enabling rapid memory exhaustion. 

The vulnerability’s severity is compounded by Tomcat’s default handling of concurrent connections, allowing attackers to amplify impact through parallel requests. 

CVE-2025-49124: Windows Installer Side-Loading Risk

CVE-2025-49124 targets the Tomcat Windows installer’s insecure invocation of icacls.exe, a utility for modifying access control lists (ACLs). 

By omitting the full path to C:WindowsSystem32icacls.exe, the installer becomes vulnerable to PATH environment variable manipulation. An attacker with write access to directories earlier in the PATH could place a malicious icacls.exe, which the installer would execute during Tomcat setup. 

This privilege escalation vector could enable unauthorized service configuration changes or persistence mechanisms. 

CVE-2025-49125: Security Constraint Bypass in Resource Mounting

The CVE-2025-49125 vulnerability allows attackers to bypass authentication and authorization controls for PreResources and PostResources configured outside the web application root. 

The issue arises from Tomcat’s failure to normalize resource paths before applying security policies, enabling URL manipulation attacks. 

Immediate Patching Required 

Organizations must prioritize immediate updates to address these vulnerabilities. The Apache Software Foundation has released patches across all affected version branches: Apache Tomcat 11.0.8, Apache Tomcat 10.1.42, and Apache Tomcat 9.0.106. 

These updates introduce configurable limits, including maxPartHeaderSize (default 512 bytes) and maxPartCount (default 10 parts) parameters on the Connector configuration.

System administrators should verify their Tomcat installations and implement configuration changes to the server.xml file, specifically adjusting Connector parameters to prevent resource exhaustion attacks while maintaining application functionality.

Live Credential Theft Attack Unmask & Instant Defense – Free Webinar