Apache Commons Fileupload vulnerabilities
6 known vulnerabilities affecting apache/commons_fileupload.
Total CVEs
6
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH4LOW1
Vulnerabilities
Page 1 of 1
CVE-2025-48976HIGHCVSS 7.5≥ 1.0, < 1.6v2.0.02025-06-16
CVE-2025-48976 [HIGH] CWE-770 CVE-2025-48976: Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability i
Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload.
This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4.
Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.
nvd
CVE-2023-24998HIGHCVSS 7.5≥ 1.0, < 1.5v1.02023-02-20
CVE-2023-24998 [HIGH] CWE-770 CVE-2023-24998: Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resu
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.
Note that, like all of the file upload limits, the
new configuration option (FileUploadBase#setFileCountMax) is not
enabled by default and must be e
nvd
CVE-2016-1000031CRITICALCVSS 9.8≤ 1.3.22016-10-25
CVE-2016-1000031 [CRITICAL] CWE-284 CVE-2016-1000031: Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution
Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution
nvd
CVE-2016-3092HIGHCVSS 7.5≤ 1.3.12016-07-04
CVE-2016-3092 [HIGH] CWE-20 CVE-2016-3092: The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x be
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
nvd
CVE-2014-0050HIGHCVSS 7.5PoC≤ 1.3v1.0+5 more2014-04-01
CVE-2014-0050 [HIGH] CWE-264 CVE-2014-0050: MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web,
MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.
nvd
CVE-2013-0248LOWCVSS 3.3v1.0v1.1+4 more2013-03-15
CVE-2013-0248 [LOW] CWE-264 CVE-2013-0248: The default configuration of javax.servlet.context.tempdir in Apache Commons FileUpload 1.0 through
The default configuration of javax.servlet.context.tempdir in Apache Commons FileUpload 1.0 through 1.2.2 uses the /tmp directory for uploaded files, which allows local users to overwrite arbitrary files via an unspecified symlink attack.
nvd