7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-48989

GHSA ID

GHSA-gqp3-2cvr-x8m3

EPSS Score

CWE

CWE-404

Published

8/13/2025

Updated

8/13/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-48989

CVE-2025-48989: Apache Tomcat Improper Resource Shutdown or Release vulnerability

Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected.

Users are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-48989

GHSA ID

GHSA-gqp3-2cvr-x8m3

EPSS Score

CWE

CWE-404

Published

8/13/2025

Updated

8/13/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.tomcat:tomcat-coyote	maven	>= 11.0.0-M1, < 11.0.10	11.0.10
org.apache.tomcat:tomcat-coyote	maven	>= 10.1.0-M1, < 10.1.44	10.1.44
org.apache.tomcat:tomcat-coyote	maven	>= 9.0.0.M1, < 9.0.108	9.0.108

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability, identified as CVE-2025-48989, is a resource exhaustion issue in Apache Tomcat's HTTP/2 implementation, also known as the 'made you reset attack'. The core of the problem is the failure to account for the overhead of handling HTTP/2 RST_STREAM frames. Tomcat employs an overhead counting mechanism to prevent clients from consuming excessive server resources with control frames. However, the functions responsible for sending RST_STREAM frames, sendStreamReset in Http2UpgradeHandler and Http2AsyncUpgradeHandler, did not increment this counter. An attacker could exploit this by initiating a large number of streams and then immediately resetting them. Because these reset actions were not being tracked, the attacker could bypass the server's protective measures, leading to resource depletion and a denial of service. The provided patches fix this by adding a call to increaseOverheadCount in the sendStreamReset methods, ensuring that stream resets are properly accounted for in the overhead calculation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Improp*r R*sour** S*ut*own or R*l**s* vuln*r**ility in *p**** Tom**t m*** Tom**t vuln*r**l* to t** m*** you r*s*t *tt**k. T*is issu* *****ts *p**** Tom**t: *rom **.*.*-M* t*rou** **.*.*, *rom **.*.*-M* t*rou** **.*.** *n* *rom *.*.*.M* t*rou** *.*.*

Reasoning

T** vuln*r**ility, i**nti*i** *s *V*-****-*****, is * r*sour** *x**ustion issu* in *p**** Tom**t's *TTP/* impl*m*nt*tion, *lso known *s t** 'm*** you r*s*t *tt**k'. T** *or* o* t** pro*l*m is t** **ilur* to ***ount *or t** ov*r**** o* **n*lin* *TTP/*

7.5

Basic Information

Concerned about an active attack path?

CVE-2025-48989: Apache Tomcat Improper Resource Shutdown or Release vulnerability

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI