N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-61795

GHSA ID

GHSA-hgrr-935x-pq79

EPSS Score

0.11577%

CWE

CWE-404

Published

10/27/2025

Updated

10/28/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-61795

CVE-2025-61795: Apache Tomcat Vulnerable to Improper Resource Shutdown or Release

If an error occurred (including exceeding limits) during the processing of a multipart upload, temporary copies of the uploaded parts written to disc were not cleaned up immediately but left for the garbage collection process to delete. Depending on JVM settings, application memory usage and application load, it was possible that space for the temporary copies of uploaded parts would be filled faster than GC cleared it, leading to a DoS.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.11, from 10.1.0-M1 through 10.1.46, from 9.0.0.M1 through 9.0.109.

The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.12 or later, 10.1.47 or later or 9.0.110 or later which fixes the issue.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-61795

GHSA ID

GHSA-hgrr-935x-pq79

EPSS Score

0.11577%

CWE

CWE-404

Published

10/27/2025

Updated

10/28/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.tomcat:tomcat	maven	>= 11.0.0-M1, < 11.0.12	11.0.12
org.apache.tomcat:tomcat	maven	>= 10.1.0-M1, < 10.1.47	10.1.47
org.apache.tomcat:tomcat	maven	>= 9.0.0.40, < 9.0.110	9.0.110
org.apache.tomcat:tomcat	maven	>= 8.5.60, <= 8.5.100
org.apache.tomcat:tomcat-catalina	maven	>= 11.0.0-M1, < 11.0.12	11.0.12
org.apache.tomcat:tomcat-catalina	maven	>= 10.1.0-M1, < 10.1.47	10.1.47
org.apache.tomcat:tomcat-catalina	maven	>= 9.0.0.40, < 9.0.110	9.0.110
org.apache.tomcat:tomcat-catalina	maven	>= 8.5.60, <= 8.5.100
org.apache.tomcat.embed:tomcat-embed-core	maven	>= 11.0.0-M1, < 11.0.12	11.0.12
org.apache.tomcat.embed:tomcat-embed-core	maven	>= 10.1.0-M1, < 10.1.47	10.1.47
org.apache.tomcat.embed:tomcat-embed-core	maven	>= 9.0.0.40, < 9.0.110	9.0.110
org.apache.tomcat.embed:tomcat-embed-core	maven	>= 8.5.60, <= 8.5.100

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability described is a failure to properly clean up resources (temporary files) after a failed multipart upload in Apache Tomcat. The provided commit patches directly address this issue. By analyzing the changes in the Request.java file across the supplied commits, it's clear that the parseParts method is the central point of the vulnerability. The original code lacked a mechanism to guarantee the cleanup of temporary files in case of an exception during the upload parsing process. The fix introduces a finally block to ensure that item.delete() is called on the temporary FileItem objects, regardless of whether the upload parsing was successful or not. Therefore, org.apache.catalina.connector.Request.parseParts is the specific function that contains the flawed logic and would be active during the exploitation of this Denial of Service vulnerability.

Vulnerable functions

org.apache.catalina.connector.Request.parseParts

java/org/apache/catalina/connector/Request.java

The `parseParts` function in `org.apache.catalina.connector.Request` is responsible for parsing multipart/form-data requests. The vulnerability lies in the fact that if an error occurs during the parsing of a multipart upload (e.g., exceeding file size limits), the temporary files created on disk for the uploaded parts were not immediately deleted. The cleanup was left to the Java garbage collector (GC). Under high load, new temporary files could be created faster than the GC could clean up the old ones, leading to disk space exhaustion and a Denial of Service (DoS). The `parseParts` function is the entry point for this vulnerable process and would be present in any stack trace related to the exploit.

WAF Protection Rules

WAF Rule

I* *n *rror o**urr** (in*lu*in* *x****in* limits) *urin* t** pro**ssin* o* * multip*rt uplo**, t*mpor*ry *opi*s o* t** uplo**** p*rts writt*n to *is* w*r* not *l**n** up imm**i*t*ly *ut l**t *or t** **r**** *oll**tion pro**ss to **l*t*. **p*n*in* on

Reasoning

T** vuln*r**ility **s*ri*** is * **ilur* to prop*rly *l**n up r*sour**s (t*mpor*ry *il*s) **t*r * **il** multip*rt uplo** in *p**** Tom**t. T** provi*** *ommit p*t***s *ir**tly ***r*ss t*is issu*. *y *n*lyzin* t** ***n**s in t** `R*qu*st.j*v*` *il* *

N/A

Basic Information

Concerned about an active attack path?

CVE-2025-61795: Apache Tomcat Vulnerable to Improper Resource Shutdown or Release

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI