Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2025-1064 advisory.

    Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in     Apache Commons FileUpload.

    This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4.

    Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue. (CVE-2025-48976)

    Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects     Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through     9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
    (CVE-2025-48988)

    Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat.  When using     PreResources or PostResources mounted other than at the root of the web application, it was possible to     access those resources via an unexpected path. That path was likely not to be protected by the same     security constraints as the expected path, allowing those security constraints to be bypassed.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from     9.0.0.M1 through 9.0.105.

    Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
    (CVE-2025-49125)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of tomcat installed on the remote host is prior to 9.0.106-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2TOMCAT9-2025-020 advisory.

    Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in     Apache Commons FileUpload.

    This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4.

    Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue. (CVE-2025-48976)

    Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects     Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through     9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
    (CVE-2025-48988)

    Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat.  When using     PreResources or PostResources mounted other than at the root of the web application, it was possible to     access those resources via an unexpected path. That path was likely not to be protected by the same     security constraints as the expected path, allowing those security constraints to be bypassed.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from     9.0.0.M1 through 9.0.105.

    Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
    (CVE-2025-49125)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2025-1065 advisory.

    Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in     Apache Commons FileUpload.

    This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4.

    Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue. (CVE-2025-48976)

    Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects     Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through     9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
    (CVE-2025-48988)

    Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat.  When using     PreResources or PostResources mounted other than at the root of the web application, it was possible to     access those resources via an unexpected path. That path was likely not to be protected by the same     security constraints as the expected path, allowing those security constraints to be bypassed.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from     9.0.0.M1 through 9.0.105.

    Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
    (CVE-2025-49125)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of tomcat installed on the remote host is prior to 7.0.76-10. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2025-2920 advisory.

    Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in     Apache Commons FileUpload.

    This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4.

    Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue. (CVE-2025-48976)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 host has packages installed that are affected by a vulnerability as referenced in the SUSE- SU-2025:02184-1 advisory.

    Upgrade to upstream version 1.6.0

    - CVE-2025-48976: Fixed allocation of resources for multipart headers with insufficient limits can lead to     a DoS (bsc#1244657).

    Full changelog:

    https://commons.apache.org/proper/commons-fileupload/changes.html#a1.6.0

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2025:02159-1 advisory.

    Upgrade to upstream version 1.6.0

    - CVE-2025-48976: Fixed allocation of resources for multipart headers with insufficient limits can lead to     a DoS (bsc#1244657).

    Full changelog:

    https://commons.apache.org/proper/commons-fileupload/changes.html#a1.6.0

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Apache Tomcat installed on the remote host is 9.0.0-M1 prior to 9.0.106, 10.1.0-M1 prior to 10.1.42 or 11.0.0-M1 prior to 11.0.8. It is, therefore, affected by multiple vulnerabilities :

 - When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. (CVE-2025-49125)

 - During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path. This enabled a side-loading vulnerability. (CVE-2025-49124)

 - Tomcat used the same limit for both request parameters and parts in a multipart request. Since uploaded parts also include headers which must be retained, processing multipart requests can result in significantly more memory usage. A specially crafted request that used a large number of parts could trigger excessive memory usage leading to a DoS. (CVE-2025-48988)

 - Apache Commons FileUpload provided a hard-coded limit of 10kB for the size of the headers associated with a multipart request. A specially crafted request that used a large number of parts with large headers could trigger excessive memory usage leading to a DoS. (CVE-2025-48976)

Note that the scanner has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 9.0.106. It is, therefore, affected by multiple vulnerabilities as referenced in the fixed_in_apache_tomcat_9.0.106_security-9 advisory.

  - Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in     Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from     2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the     issue. (CVE-2025-48976)

  - Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using     PreResources or PostResources mounted other than at the root of the web application, it was possible to     access those resources via an unexpected path. That path was likely not to be protected by the same     security constraints as the expected path, allowing those security constraints to be bypassed. This issue     affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1     through 9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the     issue. (CVE-2025-49125)

  - Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the     Tomcat installer for Windows used icacls.exe without specifying a full path. This issue affects Apache     Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105. Users are     recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. (CVE-2025-49124)

  - Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects     Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through     9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
    (CVE-2025-48988)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 11.0.8. It is, therefore, affected by multiple vulnerabilities as referenced in the fixed_in_apache_tomcat_11.0.8_security-11 advisory.

  - Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in     Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from     2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the     issue. (CVE-2025-48976)

  - Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using     PreResources or PostResources mounted other than at the root of the web application, it was possible to     access those resources via an unexpected path. That path was likely not to be protected by the same     security constraints as the expected path, allowing those security constraints to be bypassed. This issue     affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1     through 9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the     issue. (CVE-2025-49125)

  - Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the     Tomcat installer for Windows used icacls.exe without specifying a full path. This issue affects Apache     Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105. Users are     recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. (CVE-2025-49124)

  - Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects     Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through     9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
    (CVE-2025-48988)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 10.1.42. It is, therefore, affected by multiple vulnerabilities as referenced in the fixed_in_apache_tomcat_10.1.42_security-10 advisory.

  - Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in     Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from     2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the     issue. (CVE-2025-48976)

  - Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using     PreResources or PostResources mounted other than at the root of the web application, it was possible to     access those resources via an unexpected path. That path was likely not to be protected by the same     security constraints as the expected path, allowing those security constraints to be bypassed. This issue     affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1     through 9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the     issue. (CVE-2025-49125)

  - Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the     Tomcat installer for Windows used icacls.exe without specifying a full path. This issue affects Apache     Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105. Users are     recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. (CVE-2025-49124)

  - Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects     Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through     9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
    (CVE-2025-48988)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
241761	Amazon Linux 2023 : tomcat10, tomcat10-admin-webapps, tomcat10-el-5.0-api (ALAS2023-2025-1064)	Nessus	Amazon Linux Local Security Checks	high
241736	Amazon Linux 2 : tomcat (ALASTOMCAT9-2025-020)	Nessus	Amazon Linux Local Security Checks	high
241733	Amazon Linux 2023 : tomcat9, tomcat9-admin-webapps, tomcat9-el-3.0-api (ALAS2023-2025-1065)	Nessus	Amazon Linux Local Security Checks	high
241723	Amazon Linux 2 : tomcat (ALAS-2025-2920)	Nessus	Amazon Linux Local Security Checks	high
241129	SUSE SLES12 Security Update : jakarta-commons-fileupload (SUSE-SU-2025:02184-1)	Nessus	SuSE Local Security Checks	high
240893	SUSE SLES15 / openSUSE 15 Security Update : apache-commons-fileupload (SUSE-SU-2025:02159-1)	Nessus	SuSE Local Security Checks	high
114888	Apache Tomcat 9.0.0-M1 < 9.0.106 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	high
114887	Apache Tomcat 10.1.0-M1 < 10.1.42 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	high
114886	Apache Tomcat 11.0.0-M1 < 11.0.8 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	high
240060	Apache Tomcat 9.0.0.M1 < 9.0.106 multiple vulnerabilities	Nessus	Web Servers	high
240059	Apache Tomcat 11.0.0.M1 < 11.0.8 multiple vulnerabilities	Nessus	Web Servers	high
240058	Apache Tomcat 10.1.0.M1 < 10.1.42 multiple vulnerabilities	Nessus	Web Servers	high

Detections

Analytics

CVE-2025-48976

high

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high