CVE-2025-48988

HIGH

Apache Tomcat - Allocation of Resources Without Limits or Throttling

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-48988. PoCs published by nankuo, Samb102.

AI-analyzed exploit summary This PoC exploits a multipart/form-data parsing vulnerability in a JSP application by sending a large number of crafted multipart requests with excessive headers, likely causing a DoS condition. The script continuously sends payloads to the target endpoint, demonstrating the vulnerability's exploitability.

Description

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

Exploits (2)

github WORKING POC 2 stars

by nankuo · pythonpoc

https://github.com/nankuo/CVE-2025-48976_CVE-2025-48988

View Code ZIP pw:eip

This PoC exploits a multipart/form-data parsing vulnerability in a JSP application by sending a large number of crafted multipart requests with excessive headers, likely causing a DoS condition. The script continuously sends payloads to the target endpoint, demonstrating the vulnerability's exploitability.

Classification

Working Poc 90%

Attack Type

Dos

Complexity

Moderate

Reliability

Reliable

Target: MultipartUploadApp_JSP (version unspecified)

No auth needed

Prerequisites: Network access to the target application · Target application running on port 8080

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec WORKING POC

by Samb102 · poc

https://github.com/Samb102/POC-CVE-2025-48988-CVE-2025-48976

View Code ZIP pw:eip

This repository contains a functional PoC for CVE-2025-48988, demonstrating a DoS vulnerability in Tomcat 10.1.41 via excessive multipart request processing. The exploit sends parallelized requests with numerous parts and headers, causing high CPU usage.

Classification

Working Poc 95%

Attack Type

Dos

Complexity

Moderate

Reliability

Reliable

Target: Apache Tomcat 10.1.41

No auth needed

Prerequisites: Network access to the target Tomcat server

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Core References

Mailing List, Vendor Advisory vendor-advisory

https://lists.apache.org/thread/nzkqsok8t42qofgqfmck536mtyzygp18

Mailing List, Third Party Advisory

http://www.openwall.com/lists/oss-security/2025/06/16/1

Mailing List

https://lists.debian.org/debian-lts-announce/2025/07/msg00009.html

Scores

CVSS v3 7.5

EPSS 0.0076

EPSS Percentile 73.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-770

Status published

Products (3)

apache/tomcat 9.0.0 - 9.0.106

org.apache.tomcat/tomcat-catalina 11.0.0-M1 - 11.0.8Maven

org.apache.tomcat.embed/tomcat-embed-core 11.0.0-M1 - 11.0.8Maven

Published Jun 16, 2025

Tracked Since Feb 18, 2026