CVE-2025-48988 Overview
CVE-2025-48988 is a Denial of Service vulnerability in Apache Tomcat caused by allocation of resources without limits or throttling [CWE-770]. Remote attackers can exhaust server resources without authentication, rendering the Tomcat instance unresponsive. The flaw affects Apache Tomcat 11.0.0-M1 through 11.0.7, 10.1.0-M1 through 10.1.41, and 9.0.0.M1 through 9.0.105. End-of-life branches 8.5.0 through 8.5.100 are also known to be affected, and other older EOL versions may carry the same defect. The Apache Tomcat project recommends upgrading to 11.0.8, 10.1.42, or 9.0.106 to remediate the issue.
Critical Impact
Unauthenticated remote attackers can trigger resource exhaustion that disrupts availability of Apache Tomcat servers handling production workloads.
Affected Products
- Apache Tomcat 11.0.0-M1 through 11.0.7
- Apache Tomcat 10.1.0-M1 through 10.1.41
- Apache Tomcat 9.0.0.M1 through 9.0.105 (and EOL 8.5.0 through 8.5.100)
Discovery Timeline
- 2025-06-16 - CVE-2025-48988 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2025-48988
Vulnerability Analysis
The defect resides in how Apache Tomcat allocates memory when processing certain client-supplied inputs without enforcing upper bounds. An unauthenticated attacker can send crafted requests over the network that force Tomcat to allocate excessive resources per connection. As traffic accumulates, the Java Virtual Machine heap and supporting thread pools are consumed, leading to degraded service or full unresponsiveness. The vulnerability impacts availability only; confidentiality and integrity remain intact. Because the attack requires no privileges and no user interaction, it is well-suited to opportunistic scanning against internet-exposed Tomcat instances. The EPSS probability of 0.759% (73rd percentile) reflects measurable interest in the issue across the broader threat landscape.
Root Cause
The root cause is classified under [CWE-770]: Allocation of Resources Without Limits or Throttling. Tomcat code paths that parse multipart, header, or request-body data accept caller-influenced sizes and counts without rejecting inputs that exceed safe thresholds. Without throttling on a per-connection or per-request basis, repeated abuse compounds the cost across the server.
Attack Vector
The attack vector is network-based and unauthenticated. An adversary sends a stream of crafted HTTP requests to the Tomcat listener. Each request consumes disproportionate memory or thread time relative to its size, so a low-bandwidth attacker can degrade a high-capacity server. Detailed exploitation specifics are not publicly disclosed at this time. See the Apache Security Discussion and the Openwall OSS-Security Mailing List for vendor commentary.
Detection Methods for CVE-2025-48988
Indicators of Compromise
- Sustained spikes in Tomcat JVM heap usage, garbage collection time, or thread pool saturation without a corresponding business traffic increase.
- OutOfMemoryError entries or thread starvation warnings in catalina.out and application logs.
- High request volume from a small set of source IPs targeting endpoints that accept large or multipart payloads.
Detection Strategies
- Inventory Apache Tomcat installations and flag any instance running versions earlier than 11.0.8, 10.1.42, or 9.0.106, including EOL 8.5.x deployments.
- Correlate web access logs with JVM memory metrics to identify requests that precede resource exhaustion events.
- Deploy WAF or reverse proxy rules that surface anomalous request size, header count, or multipart part counts.
Monitoring Recommendations
- Monitor Tomcat JMX metrics for HeapMemoryUsage, ThreadPool.currentThreadsBusy, and connector queue depth, with alerts on sustained anomalies.
- Ingest Tomcat access and catalina logs into a centralized analytics platform to baseline normal request distributions and flag deviations.
- Track upstream network telemetry for repeated low-and-slow request patterns directed at Tomcat-fronted applications.
How to Mitigate CVE-2025-48988
Immediate Actions Required
- Upgrade Apache Tomcat to 11.0.8, 10.1.42, or 9.0.106 as supplied by the Apache Tomcat project.
- Retire or isolate any EOL 8.5.x (or older) Tomcat instances that cannot receive the fix.
- Place vulnerable instances behind a reverse proxy or WAF that enforces strict request size, header, and rate limits until patching is complete.
Patch Information
Apache Tomcat has released fixed builds in versions 11.0.8, 10.1.42, and 9.0.106. Refer to the Apache Security Discussion and the Debian LTS Announcement for distribution-specific package updates.
Workarounds
- Tighten Tomcat connector limits such as maxHttpHeaderSize, maxPostSize, maxParameterCount, and maxSwallowSize to reject oversized inputs.
- Enforce per-IP rate limiting and connection caps at the load balancer or WAF tier.
- Restrict exposure of Tomcat management and application endpoints to trusted networks where possible.
# Example server.xml connector hardening (review against vendor guidance)
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxHttpHeaderSize="8192"
maxPostSize="2097152"
maxParameterCount="1000"
maxSwallowSize="2097152"
connectionTimeout="20000"
acceptCount="100"
maxThreads="200" />
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
