7.5

CVSS Score

Basic Information

CVE ID

CVE-2025-48976

GHSA ID

GHSA-vv7r-c36w-3prj

EPSS Score

CWE

CWE-770

Published

6/16/2025

Updated

6/16/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-48976

CVE-2025-48976:
Apache Commons FileUpload Multipart Header Denial of Service Vulnerability

CVE-2025-48976 identifies a denial of service vulnerability in Apache Commons FileUpload that enables attackers to exhaust server resources through improper allocation limits for multipart headers during file upload processing. This vulnerability affects Apache Commons FileUpload versions 1.0 through 1.5 and 2.0.0-M1 through 2.0.0-M3, achieving a CVSS score of 7.5 (High severity) indicating significant risk for Java web applications that handle multipart file uploads without proper resource controls. The vulnerability details reveal that insufficient limits on multipart header allocation allow attackers to craft malicious file upload requests with oversized headers that consume excessive server memory and processing resources, leading to service degradation or complete unavailability. The technical root cause lies in Apache Commons FileUpload's resource allocation mechanism where inadequate header size limits enable uncontrolled resource allocation during multipart header processing, classified as CWE-770 (Allocation of Resources Without Limits or Throttling). The vulnerability specifically affects multipart request handling where improper enforcement of header size limits allows attackers to submit requests with excessively large headers that bypass intended resource restrictions. Mitigation strategies require upgrading to Apache Commons FileUpload versions 1.6 or 2.0.0-M4 and later, which implement proper resource limits and throttling mechanisms for multipart header processing. Organizations should prioritize identifying all Java applications using vulnerable versions, implement strict file upload validation and size limits, monitor server resources during file upload operations, and maintain updated CVE database records to track similar resource allocation vulnerabilities.

(GitHub Advisory)

7.5

CVSS Score

Basic Information

CVE ID

CVE-2025-48976

GHSA ID

GHSA-vv7r-c36w-3prj

EPSS Score

CWE

CWE-770

Published

6/16/2025

Updated

6/16/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.commons:commons-fileupload2-core	maven	>= 1.0, < 1.6.0	1.6.0
org.apache.commons:commons-fileupload2-core	maven	>= 2.0.0-M1, < 2.0.0-M4	2.0.0-M4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability (CVE-2025-48976 / GHSA-vv7r-c36w-3prj) is a Denial of Service in Apache Commons FileUpload due to 'Allocation of resources for multipart headers with insufficient limits'. The provided commit bf68f63cfb312ef4710fb3dfb4d8e4e1665f4497 has a message 'Sort members' and shows reordering of methods within org.apache.commons.fileupload2.core.MultipartInput.Builder, including setPartHeaderSizeMax and getPartHeaderSizeMax.

While this commit doesn't show a direct logic change for enforcing header size limits (which would typically be in the header parsing code itself, likely within the MultipartInput class), the Builder is responsible for configuring the partHeaderSizeMax limit.

The identified functions are part of this configuration process:

org.apache.commons.fileupload2.core.MultipartInput.Builder.setPartHeaderSizeMax(int): Allows setting the header size limit.
org.apache.commons.fileupload2.core.MultipartInput.Builder.get(): Instantiates the MultipartInput object, passing the configured partHeaderSizeMax to its constructor.

If, prior to the set of changes that this commit is part of, this configuration mechanism was flawed (e.g., the set limit was not correctly propagated, a default was insecure, or the parser ignored the configured limit), these builder methods would be involved in the pathway to the vulnerability. The vulnerability itself—excessive resource allocation—would occur in the actual header parsing logic within the MultipartInput object, which is not visible in this specific patch. The assumption is that this 'Sort members' commit was part of a larger fix that ensured these limits became effective, or that the reordering itself subtly fixed an issue with how partHeaderSizeMax was handled by the builder.

The confidence is 'medium' because the commit itself is not an explicit security fix altering parsing logic but rather a refactoring of the configuration interface. The link to the vulnerability relies on the advisory's assertion that this commit is related to the fix, implying the previous state of this configuration code was deficient in establishing proper limits for the parser.

Vulnerable functions

org.apache.commons.fileupload2.core.MultipartInput.Builder.setPartHeaderSizeMax

commons-fileupload2-core/src/main/java/org/apache/commons/fileupload2/core/MultipartInput.java

This function is responsible for allowing a user to set the maximum size for part headers. The vulnerability is described as 'Allocation of resources for multipart headers with insufficient limits'. If this configuration was not properly applied by the underlying parser, or if the default limit (if any) was insufficient, this method is part of the mechanism that should have prevented the DoS. The vulnerability implies that the limit-setting mechanism, which this function is a part of, was ineffective in preventing excessive resource allocation by the header parser (not shown in this specific patch).

org.apache.commons.fileupload2.core.MultipartInput.Builder.get

commons-fileupload2-core/src/main/java/org/apache/commons/fileupload2/core/MultipartInput.java

This function constructs the `MultipartInput` object, critically passing the `partHeaderSizeMax` (obtained via the builder's `getPartHeaderSizeMax()` method) to the `MultipartInput` constructor. If the `partHeaderSizeMax` value, as configured through the builder, was not effectively enforced by the `MultipartInput` instance's internal header parsing logic (due to flaws in propagation, enforcement, or an insecure default value prior to the overall fix this commit is associated with), this `get()` method is a key part of the chain that leads to the instantiation of a parser with insufficient limits. The actual resource allocation vulnerability occurs within the `MultipartInput`'s header processing.

WAF Protection Rules

WAF Rule

*llo**tion o* r*sour**s *or multip*rt *****rs wit* insu**i*i*nt limits *n**l** * *oS vuln*r**ility in *p**** *ommons *il*Uplo**. T*is issu* *****ts *p**** *ommons *il*Uplo**: *rom *.* ***or* *.*; *rom *.*.*-M* ***or* *.*.*-M*. Us*rs *r* r**omm*n***

Reasoning

T** vuln*r**ility (*V*-****-***** / **S*-vv*r-***w-*prj) is * **ni*l o* S*rvi** in *p**** *ommons *il*Uplo** *u* to '*llo**tion o* r*sour**s *or multip*rt *****rs wit* insu**i*i*nt limits'. T** provi*** *ommit `***************************************

7.5

Basic Information

Concerned about an active attack path?

CVE-2025-48976: Apache Commons FileUpload Multipart Header Denial of Service Vulnerability

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-48976:
Apache Commons FileUpload Multipart Header Denial of Service Vulnerability

Vulnerability Intelligence
Miggo AI