CVE-2023-24998
📋 TL;DR
Apache Commons FileUpload before version 1.5 has a denial-of-service vulnerability where attackers can overwhelm systems by sending unlimited file upload parts. This affects any application using the vulnerable library for file upload functionality. The vulnerability exists because the library doesn't enforce limits on the number of request parts by default.
💻 Affected Systems
- Apache Commons FileUpload
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability due to resource exhaustion, potentially requiring server restart and causing extended downtime.
Likely Case
Temporary service degradation or unavailability during attack periods, impacting user experience and business operations.
If Mitigated
Minimal impact with proper request part limits configured, though some resource consumption may still occur.
🎯 Exploit Status
Exploitation is straightforward - attackers simply need to send numerous file upload parts. Public proof-of-concept exists in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.5
Vendor Advisory: https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy
Restart Required: Yes
Instructions:
1. Upgrade Apache Commons FileUpload to version 1.5 or later. 2. Configure FileUploadBase#setFileCountMax with appropriate limits. 3. Restart affected applications.
🔧 Temporary Workarounds
Configure Request Part Limits
allExplicitly set FileUploadBase#setFileCountMax to limit the number of request parts processed
// Java code example: FileUploadBase.setFileCountMax(100);
Implement Web Application Firewall Rules
allConfigure WAF to limit multipart/form-data request size and part count
🧯 If You Can't Patch
- Implement rate limiting on file upload endpoints
- Deploy reverse proxy with request size and part count limits
🔍 How to Verify
Check if Vulnerable:
Check if application uses Apache Commons FileUpload version <1.5. Review application dependencies and configuration files.Check Version:
Check Maven/Gradle dependencies or examine JAR file metadata: java -jar commons-fileupload.jar (if standalone)Verify Fix Applied:
Verify Apache Commons FileUpload version is 1.5 or later and FileUploadBase#setFileCountMax is configured with appropriate limits.📡 Detection & Monitoring
Log Indicators:
- Unusually large number of file upload requests
- High memory/CPU usage spikes during uploads
- Request timeouts on upload endpoints
Network Indicators:
- Large volume of multipart/form-data requests
- Requests with excessive Content-Length headers
- Sustained upload traffic to vulnerable endpoints
SIEM Query:
source="application.logs" AND (message="*FileUpload*" OR message="*upload*") AND (bytes_received>10000000 OR request_duration>30s)🔗 References
- http://www.openwall.com/lists/oss-security/2023/05/22/1
- https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy
- https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html
- https://security.gentoo.org/glsa/202305-37
- https://www.debian.org/security/2023/dsa-5522
- http://www.openwall.com/lists/oss-security/2023/05/22/1
- https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy
- https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html
- https://lists.debian.org/debian-lts-announce/2025/07/msg00008.html
- https://security.gentoo.org/glsa/202305-37
- https://security.netapp.com/advisory/ntap-20230302-0013/
- https://security.netapp.com/advisory/ntap-20241108-0002/
- https://www.debian.org/security/2023/dsa-5522
