CVE-2025-48989

CWE-404CWE-400Uncontrolled Resource Consumption9 documents7 sources
Severity
7.5HIGH
EPSS
0.2%
top 52.67%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache TomcatApache Software Foundation Apache Tomcat
Timeline
PublishedAug 13
Latest updateJan 15

Description

Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected. Users are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages7 packages

NVDapache/tomcat9.0.19.0.108+3
Mavenorg.apache.tomcat:tomcat-coyote11.0.0-M111.0.10+2
Mavenorg.apache.tomcat.embed:tomcat-embed-core11.0.0-M111.0.10+2
CVEListV5apache_software_foundation/apache_tomcat11.0.0-M111.0.9+2
Debiantomcat9< 9.0.70-2+3

🔴Vulnerability Details

4
OSV
Apache Tomcat Improper Resource Shutdown or Release vulnerability2025-08-13
CVEList
Apache Tomcat: h2 DoS - Made You Reset2025-08-13
GHSA
Apache Tomcat Improper Resource Shutdown or Release vulnerability2025-08-13
OSV
CVE-2025-48989: Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack2025-08-13

📋Vendor Advisories

4
Oracle
Oracle Oracle Siebel CRM Risk Matrix: Application Interface (Apache Tomcat) — CVE-2025-489892026-01-15
Oracle
Oracle Oracle Commerce Risk Matrix: Tools And Frameworks, Content Acquisition System, Platform Services (Apache Tomcat) — CVE-2025-489892025-10-15
Red Hat
tomcat: http/2 "MadeYouReset" DoS attack through HTTP/2 control frames2025-08-13
Debian
CVE-2025-48989: tomcat10 - Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat...2025