CVE-2025-61795

CWE-40410 documents8 sources

Severity

5.3MEDIUM

EPSS

0.1%

top 67.92%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Tomcat Apache Software Foundation Apache Tomcat

Timeline

PublishedOct 27

Latest updateJan 15

Description

Improper Resource Shutdown or Release vulnerability in Apache Tomcat. If an error occurred (including exceeding limits) during the processing of a multipart upload, temporary copies of the uploaded parts written to disc were not cleaned up immediately but left for the garbage collection process to delete. Depending on JVM settings, application memory usage and application load, it was possible that space for the temporary copies of uploaded parts would be filled faster than GC cleared it, leadi…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.6 | Impact: 3.6

Affected Packages8 packages

▶NVDapache/tomcat9.0.0 — 9.0.110+4

▶Mavenorg.apache.tomcat:tomcat11.0.0-M1 — 11.0.12+3

▶Mavenorg.apache.tomcat:tomcat-catalina11.0.0-M1 — 11.0.12+3

▶Mavenorg.apache.tomcat.embed:tomcat-embed-core11.0.0-M1 — 11.0.12+3

▶CVEListV5apache_software_foundation/apache_tomcat11.0.0-M1 — 11.0.11+3

🔴Vulnerability Details

OSV

Apache Tomcat Vulnerable to Improper Resource Shutdown or Release↗2025-10-27

▶

GHSA

Apache Tomcat Vulnerable to Improper Resource Shutdown or Release↗2025-10-27

▶

OSV

CVE-2025-61795: Improper Resource Shutdown or Release vulnerability in Apache Tomcat↗2025-10-27

▶

CVEList

Apache Tomcat: Delayed cleaning of multi-part upload temporary files may lead to DoS↗2025-10-27

▶

📋Vendor Advisories

Oracle

Oracle Oracle Graph Server and Client Risk Matrix: Packaging (Apache Tomcat) — CVE-2025-61795↗2026-01-15

▶

Red Hat

tomcat: org.apache.tomcat/tomcat-catalina: Apache Tomcat: Denial of service↗2025-10-27

▶

Debian

CVE-2025-61795: tomcat10 - Improper Resource Shutdown or Release vulnerability in Apache Tomcat. If an err...↗2025

▶

💬Community

Bugzilla

CVE-2025-61795 tomcat: org.apache.tomcat/tomcat-catalina: Apache Tomcat: Denial of service↗2025-10-27

▶

Bugzilla

CVE-2025-61795 tomcat: Apache Tomcat: Denial of service [fedora-42]↗2025-10-27

▶