CVE-2025-48976

HIGH

Apache Commons FileUpload <1.6-2.0.0-M4 - DoS

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-48976. PoCs published by nankuo, Samb102.

AI-analyzed exploit summary The PoC demonstrates a DoS vulnerability by sending maliciously crafted multipart/form-data requests with excessive headers and parts to overwhelm the target server. It targets a JSP upload endpoint, likely exploiting a resource exhaustion flaw.

Description

Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.

Exploits (2)

nomisec WORKING POC 2 stars

by nankuo · poc

https://github.com/nankuo/CVE-2025-48976_CVE-2025-48988

View Code ZIP pw:eip

The PoC demonstrates a DoS vulnerability by sending maliciously crafted multipart/form-data requests with excessive headers and parts to overwhelm the target server. It targets a JSP upload endpoint, likely exploiting a resource exhaustion flaw.

Classification

Working Poc 90%

Attack Type

Dos

Complexity

Trivial

Reliability

Reliable

Target: MultipartUploadApp_JSP (version unspecified)

No auth needed

Prerequisites: Network access to the target server · Target server running the vulnerable JSP application

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 18, 2026 Full analysis →

github WORKING POC

by Samb102 · pythonpoc

https://github.com/Samb102/POC-CVE-2025-48988-CVE-2025-48976

View Code ZIP pw:eip

This repository contains a functional proof-of-concept exploit for CVE-2025-48988 and CVE-2025-48976, targeting a DoS vulnerability in Tomcat 10.1.41 via crafted multipart requests. The exploit sends high-volume multipart requests to trigger excessive CPU usage, with a Docker setup for testing and remediation guidance.

Classification

Working Poc 95%

Attack Type

Dos

Complexity

Moderate

Reliability

Reliable

Target: Apache Tomcat 10.1.41

No auth needed

Prerequisites: Network access to the target Tomcat server · Tomcat 10.1.41 running with default configuration

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (4)

Core 4

Core References

Mailing List, Vendor Advisory vendor-advisory

https://lists.apache.org/thread/fbs3wrr3p67vkjcxogqqqqz45pqtso12

Mailing List, Third Party Advisory

http://www.openwall.com/lists/oss-security/2025/06/16/4

Mailing List

https://lists.debian.org/debian-lts-announce/2025/07/msg00008.html

Mailing List

https://lists.debian.org/debian-lts-announce/2025/07/msg00009.html

Scores

CVSS v3 7.5

EPSS 0.0128

EPSS Percentile 80.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-770

Status published

Products (4)

apache/commons_fileupload 2.0.0 m1 (6 CPE variants)

apache/commons_fileupload 1.0 - 1.6

commons-fileupload/commons-fileupload 1.0 - 1.6.0Maven

org.apache.commons/commons-fileupload2-core 2.0.0-M1 - 2.0.0-M4Maven

Published Jun 16, 2025

Tracked Since Feb 18, 2026