CVE-2025-48989

HIGH

Apache Tomcat <11.0.10, 10.1.44, 9.0.108 - Improper Resource Shutdown

Title source: llm

Description

Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected. Users are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue.

References (3)

[Mailing List, Vendor Advisory] https://lists.apache.org/thread/9ydfg0xr0tchmglcprhxgwhj0hfwxlyf

[Mailing List] http://www.openwall.com/lists/oss-security/2025/08/13/2

[Third Party Advisory, US Government Resource] https://www.kb.cert.org/vuls/id/767506

Scores

CVSS v3 7.5

EPSS 0.0035

EPSS Percentile 57.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-404

Status published

Products (4)

apache/tomcat 9.0.0 milestone1 (27 CPE variants)

apache/tomcat 9.0.1 - 9.0.108

org.apache.tomcat/tomcat-coyote 11.0.0-M1 - 11.0.10Maven

org.apache.tomcat.embed/tomcat-embed-core 11.0.0-M1 - 11.0.10Maven

Published Aug 13, 2025

Tracked Since Feb 18, 2026