CVE-2025-48976

HIGH

Apache Commons FileUpload <1.6-2.0.0-M4 - DoS

Title source: llm

Description

Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.

Exploits (2)

nomisec WORKING POC 2 stars

by nankuo · poc

https://github.com/nankuo/CVE-2025-48976_CVE-2025-48988

View Code ZIP pw:eip

github WORKING POC

by Samb102 · pythonpoc

https://github.com/Samb102/POC-CVE-2025-48988-CVE-2025-48976

View Code ZIP pw:eip

References (4)

[Mailing List, Vendor Advisory] https://lists.apache.org/thread/fbs3wrr3p67vkjcxogqqqqz45pqtso12

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2025/06/16/4

[Mailing List] https://lists.debian.org/debian-lts-announce/2025/07/msg00008.html

[Mailing List] https://lists.debian.org/debian-lts-announce/2025/07/msg00009.html

Scores

CVSS v3 7.5

EPSS 0.0128

EPSS Percentile 79.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-770

Status published

Products (4)

apache/commons_fileupload 2.0.0 m1 (6 CPE variants)

apache/commons_fileupload 1.0 - 1.6

commons-fileupload/commons-fileupload 1.0 - 1.6.0Maven

org.apache.commons/commons-fileupload2-core 2.0.0-M1 - 2.0.0-M4Maven

Published Jun 16, 2025

Tracked Since Feb 18, 2026