Login Sign Up

CVE-2025-48988

7.5 HIGH
Denial of Service

📋 TL;DR

This CVE describes an allocation of resources without limits or throttling vulnerability in Apache Tomcat. Attackers can exploit this to cause denial of service by exhausting server resources. Affected users include those running vulnerable versions of Apache Tomcat web servers.

💻 Affected Systems

Products:
  • Apache Tomcat
Versions: 11.0.0-M1 through 11.0.7, 10.1.0-M1 through 10.1.41, 9.0.0.M1 through 9.0.105, 8.5.0 through 8.5.100 (EOL)
Operating Systems: All operating systems running affected Tomcat versions
Default Config Vulnerable: ⚠️ Yes
Notes: Older EOL versions may also be affected but are not officially supported.

📦 What is this software?

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service causing service unavailability, potentially requiring server restart and impacting all hosted applications.

🟠

Likely Case

Degraded performance or temporary service disruption due to resource exhaustion.

🟢

If Mitigated

Minimal impact with proper resource limits and monitoring in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Resource exhaustion vulnerabilities typically have low exploitation complexity and may not require authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.0.8, 10.1.42, or 9.0.106

Vendor Advisory: https://lists.apache.org/thread/nzkqsok8t42qofgqfmck536mtyzygp18

Restart Required: Yes

Instructions:

1. Download the patched version from Apache Tomcat website. 2. Stop the Tomcat service. 3. Backup configuration files. 4. Replace Tomcat installation with patched version. 5. Restore configuration files. 6. Start Tomcat service.

🔧 Temporary Workarounds

Implement connection limits

all

Configure connection limits and timeouts to mitigate resource exhaustion

Edit server.xml: <Connector port="8080" maxConnections="100" connectionTimeout="20000" ... />

Enable resource monitoring

all

Monitor system resources and implement automatic restart thresholds

Implement monitoring with tools like Nagios, Zabbix, or custom scripts to track memory/CPU usage

🧯 If You Can't Patch

  • Implement strict network access controls to limit exposure
  • Deploy web application firewall (WAF) with rate limiting capabilities

🔍 How to Verify

Check if Vulnerable:

Check Tomcat version against affected version ranges

Check Version:

Check catalina.sh version output or examine version.txt in Tomcat installation directory

Verify Fix Applied:

Verify Tomcat version is 11.0.8+, 10.1.42+, or 9.0.106+

📡 Detection & Monitoring

Log Indicators:

  • Unusual connection spikes
  • OutOfMemory errors
  • High thread count warnings

Network Indicators:

  • Abnormal connection patterns
  • Excessive requests from single sources

SIEM Query:

source="tomcat" AND ("OutOfMemory" OR "connection limit exceeded" OR thread_count>threshold)

📊 Metadata

CVE ID: CVE-2025-48988
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-770
EPSS Score: 0.12% exploit probability (30.3th percentile)
Published: June 16, 2025
Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-48988, you might also want to check these:

CVE-2024-44241 9.8

This vulnerability in DCP firmware allows attackers to execute arbitrary code or cause system crashe...

Same vulnerability type (CWE-770)
CVE-2025-11832 9.8

This CVE describes a resource allocation vulnerability in Azure Access Technology BLU-IC2 and BLU-IC...

Same vulnerability type (CWE-770)
CVE-2021-47875 9.8

GeoGebra CAS Calculator 6.0.631.0 contains a buffer overflow vulnerability that allows attackers to ...

Same vulnerability type (CWE-770)