Resource exhaustion in Apache Tomcat - CVE-2025-61795
Published: October 27, 2025 / Updated: October 29, 2025
Vulnerability identifier: #VU117682
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2025-61795
CWE-ID: CWE-400
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Apache Foundation
Affected software:
Apache Tomcat
Apache Tomcat
Detailed vulnerability description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when handling errors while processing multipart upload. Depending on JVM settings, application memory usage and application load, it is possible that space for the temporary copies of uploaded parts would be filled faster than GC cleared it, leading to a DoS.
How to mitigate CVE-2025-61795
Install updates from vendor's website.