CVE-2025-48976

CWE-770 — Allocation without Limits12 documents9 sources

Severity

7.5HIGH

EPSS

1.3%

top 20.44%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Commons Fileupload Apache Commons Fileupload

Timeline

PublishedJun 16

Latest updateJan 15

Description

Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages8 packages

▶NVDapache/commons_fileupload1.0 — 1.6+1

▶Mavenorg.apache.commons:commons-fileupload2-core2.0.0-M1 — 2.0.0-M4

▶CVEListV5apache_software_foundation/apache_commons_fileupload1.0 — 1.6+1

▶Mavencommons-fileupload:commons-fileupload1.0 — 1.6.0

▶Debianlibcommons-fileupload-java< 1.4-1+deb11u1

🔴Vulnerability Details

OSV

CVE-2025-48976: Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload↗2025-06-16

▶

CVEList

Apache Commons FileUpload, Apache Commons FileUpload: FileUpload DoS via part headers↗2025-06-16

▶

OSV

Apache Commons FileUpload, Apache Commons FileUpload: FileUpload DoS via part headers↗2025-06-16

▶

GHSA

Apache Commons FileUpload, Apache Commons FileUpload: FileUpload DoS via part headers↗2025-06-16

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Risk Matrix: Third Party (Apache Commons FileUpload) — CVE-2025-48976↗2026-01-15

▶

Oracle

Oracle Oracle GoldenGate Risk Matrix: General (Apache Commons FileUpload) — CVE-2025-48976↗2025-10-15

▶

Red Hat

apache-commons-fileupload: Apache Commons FileUpload DoS via part headers↗2025-06-16

▶

Debian

CVE-2025-48976: libcommons-fileupload-java - Allocation of resources for multipart headers with insufficient limits enabled a...↗2025

▶

Microsoft

netfilter: flowtable_offload: fix using __this_cpu_add in preemptible↗2024-10-08

▶

💬Community

Bugzilla

CVE-2025-48976 tomcat: Apache Commons FileUpload DoS via part headers [fedora-42]↗2026-01-15

▶

Bugzilla

CVE-2025-48976 tomcat: Apache Commons FileUpload DoS via part headers [fedora-41]↗2026-01-15

▶