CVE-2025-48989

HIGH

Apache Tomcat <11.0.10, 10.1.44, 9.0.108 - Improper Resource Shutdown

Title source: llm

Description

Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected. Users are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue.

References (4)

Core 4

Core References

Mailing List

http://www.openwall.com/lists/oss-security/2025/08/13/2

Third Party Advisory, US Government Resource

https://www.kb.cert.org/vuls/id/767506

Mailing List, Vendor Advisory vendor-advisory

https://lists.apache.org/thread/9ydfg0xr0tchmglcprhxgwhj0hfwxlyf

Vendor Advisory

https://cert-portal.siemens.com/productcert/html/ssa-032379.html

Scores

CVSS v3 7.5

EPSS 0.0293

EPSS Percentile 85.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-404

Status published

Products (13)

apache/tomcat 9.0.0 milestone1 (27 CPE variants)

apache/tomcat 9.0.1 - 9.0.108

Apache Software Foundation/Apache Tomcat 10.0.0-M1 - 10.0.27

Apache Software Foundation/Apache Tomcat 10.1.0-M1 - 10.1.43

Apache Software Foundation/Apache Tomcat 11.0.0-M1 - 11.0.9

Apache Software Foundation/Apache Tomcat 8.5.0 - 8.5.100

Apache Software Foundation/Apache Tomcat 9.0.0.M1 - 9.0.107

org.apache.tomcat/tomcat-coyote 10.1.0-M1 - 10.1.44Maven

org.apache.tomcat/tomcat-coyote 11.0.0-M1 - 11.0.10Maven

org.apache.tomcat/tomcat-coyote 9.0.0.M1 - 9.0.108Maven

... and 3 more

Published Aug 13, 2025

Tracked Since Feb 18, 2026