CVE-2025-48989

HIGH

Apache Tomcat <11.0.10, 10.1.44, 9.0.108 - Improper Resource Shutdown

Title source: llm

Description

Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected. Users are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue.

References (3)

[Mailing List, Vendor Advisory] https://lists.apache.org/thread/9ydfg0xr0tchmglcprhxgwhj0hfwxlyf

[Mailing List] http://www.openwall.com/lists/oss-security/2025/08/13/2

[Third Party Advisory, US Government Resource] https://www.kb.cert.org/vuls/id/767506

Scores

CVSS v3 7.5

EPSS 0.0024

EPSS Percentile 47.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Classification

CWE

CWE-404

Status published

Affected Products (30)

apache/tomcat < 9.0.108

apache/tomcat

... and 15 more

Timeline

Published Aug 13, 2025

Tracked Since Feb 18, 2026