CVE-2016-3092
HIGHApache Tomcat 7.x < 7.0.70, 8.x < 8.0.36, 8.5.x < 8.5.3, 9.x < 9.0.0.M7 - Denial of Service via Long Boundary String
Title source: llmExploitation Summary
EIP tracks 2 public exploits for CVE-2016-3092. PoCs published by dawetmaster, andikahilmy.
AI-analyzed exploit summary This repository contains the vulnerable source code of Apache Commons FileUpload (CVE-2016-3092), specifically the deprecated `DefaultFileItem` and `DefaultFileItemFactory` classes. The code demonstrates the vulnerability by including the affected components, which can be used to test or exploit the issue.
Description
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
Exploits (2)
nomisec
WORKING POC
by dawetmaster · poc
https://github.com/dawetmaster/CVE-2016-3092-commons-fileupload-vulnerable
This repository contains the vulnerable source code of Apache Commons FileUpload (CVE-2016-3092), specifically the deprecated `DefaultFileItem` and `DefaultFileItemFactory` classes. The code demonstrates the vulnerability by including the affected components, which can be used to test or exploit the issue.
Classification
Working Poc 90%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target:
Apache Commons FileUpload 1.3.2 and earlier
No auth needed
Prerequisites:
Target application using vulnerable Apache Commons FileUpload library
MITRE ATT&CK
devstral-2 · analyzed Mar 14, 2026
Full analysis →
nomisec
WORKING POC
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2016-3092-commons-fileupload-vulnerable
This repository contains the vulnerable source code of Apache Commons FileUpload (version affected by CVE-2016-3092), specifically the deprecated `DefaultFileItem` and `DefaultFileItemFactory` classes. The code demonstrates the vulnerable implementation that could lead to denial-of-service (DoS) via excessive resource consumption.
Classification
Working Poc 90%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target:
Apache Commons FileUpload (versions before 1.3.2)
No auth needed
Prerequisites:
Target application using vulnerable Apache Commons FileUpload library · Ability to send crafted multipart requests
MITRE ATT&CK
devstral-2 · analyzed Feb 18, 2026
Full analysis →
References (49)
Core 49
Core References
Patch x_refsource_confirm
http://svn.apache.org/viewvc?view=revision&revision=1743480
VDB Entry, Vendor Advisory third-party-advisory
x_refsource_jvndb
http://jvndb.jvn.jp/jvndb/JVNDB-2016-000121
Vendor Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20190212-0001/
Vendor Advisory x_refsource_confirm
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201705-09
Vendor Advisory x_refsource_confirm
http://svn.apache.org/viewvc?view=revision&revision=1743738
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-2069.html
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-2068.html
Vendor Advisory x_refsource_confirm
http://tomcat.apache.org/security-7.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1036900
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/91453
Vendor Advisory x_refsource_confirm
http://tomcat.apache.org/security-8.html
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-2072.html
Vendor Advisory x_refsource_confirm
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
Vendor Advisory x_refsource_confirm
http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
Vendor Advisory x_refsource_confirm
http://svn.apache.org/viewvc?view=revision&revision=1743722
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2016/dsa-3611
Patch, Permissions Required, Third Party Advisory x_refsource_confirm
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05204371
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-2807.html
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2016-09/msg00025.html
Vendor Advisory third-party-advisory
x_refsource_jvn
http://jvn.jp/en/jp/JVN89379547/index.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1036427
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-2070.html
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2017-0457.html
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-2808.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1039606
Vendor Advisory x_refsource_confirm
http://svn.apache.org/viewvc?view=revision&revision=1743742
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-2599.html
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2016/dsa-3609
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:0455
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2016/dsa-3614
Mailing List mailing-list
x_refsource_mlist
http://mail-archives.apache.org/mod_mbox/commons-dev/201606.mbox/%3CCAF8HOZ%2BPq2QH8RnxBuJyoK1dOz6jrTiQypAC%2BH8g6oZkBg%2BCxg%40mail.gmail.com%3E
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1349468
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-2071.html
Third Party Advisory vendor-advisory
x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-3027-1
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E
Vendor Advisory x_refsource_misc
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
Vendor Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2020.html
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202107-39
Vendor Advisory x_refsource_confirm
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759
Vendor Advisory x_refsource_confirm
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289840
Vendor Advisory x_refsource_confirm
http://tomcat.apache.org/security-9.html
Third Party Advisory vendor-advisory
x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-3024-1
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1037029
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:0456
Vendor Advisory x_refsource_confirm
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Vendor Advisory x_refsource_confirm
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Scores
CVSS v3
7.5
EPSS
0.4025
EPSS Percentile
97.5%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-20
Status
published
Products (40)
apache/commons_fileupload
< 1.3.1
apache/tomcat
9.0.0 milestone1 (4 CPE variants)
apache/tomcat
8.0.0 rc1 (4 CPE variants)
apache/tomcat
8.0.1
apache/tomcat
8.0.3
apache/tomcat
8.0.5
apache/tomcat
8.0.8
apache/tomcat
8.0.11
apache/tomcat
8.0.12
apache/tomcat
8.0.14
... and 30 more
Published
Jul 04, 2016
Tracked Since
Feb 18, 2026