CVE-2025-52520 – An integer overflow vulnerability in Apache Tom... (How to Fix)

Q: What is the severity of CVE-2025-52520?

CVE-2025-52520 has a CVSS score of 7.5 (HIGH). An integer overflow vulnerability in Apache Tomcat's multipart upload handling allows attackers to bypass configured size limits, potentially causing denial of service. This affects Tomcat versions 11.0.0-M1 through 11.0.8, 10.1.0-M1 through 10.1.42, and 9.0.0.M1 through 9.0.106, with older EOL versions also potentially vulnerable. The vulnerability requires specific multipart upload configurations to be exploitable.

📋 TL;DR

An integer overflow vulnerability in Apache Tomcat's multipart upload handling allows attackers to bypass configured size limits, potentially causing denial of service. This affects Tomcat versions 11.0.0-M1 through 11.0.8, 10.1.0-M1 through 10.1.42, and 9.0.0.M1 through 9.0.106, with older EOL versions also potentially vulnerable. The vulnerability requires specific multipart upload configurations to be exploitable.

💻 Affected Systems

Products:

Apache Tomcat

Versions: 11.0.0-M1 through 11.0.8, 10.1.0-M1 through 10.1.42, 9.0.0.M1 through 9.0.106, and EOL versions 8.5.0 through 8.5.100

Operating Systems: All operating systems running affected Tomcat versions

Default Config Vulnerable: ✅ No

Notes: Requires specific multipart upload configurations to be vulnerable; default configurations may not be affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption through resource exhaustion, potentially crashing the Tomcat instance and affecting all hosted applications.

🟠

Likely Case

Partial service degradation or temporary unavailability of affected Tomcat instances when exploited.

🟢

If Mitigated

Minimal impact if size limits are properly configured and monitored, with potential for brief service interruptions.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires knowledge of specific vulnerable multipart configurations and ability to send crafted requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.0.9, 10.1.43, or 9.0.107

Vendor Advisory: https://lists.apache.org/thread/trqq01bbxw6c92zx69kx2mw2qgmfy0o5

Restart Required: Yes

Instructions:

1. Download the patched version from Apache Tomcat website. 2. Stop the Tomcat service. 3. Backup current installation. 4. Replace with patched version. 5. Restart Tomcat service.

🔧 Temporary Workarounds

Disable multipart upload

all

If multipart upload functionality is not required, disable it in Tomcat configuration to prevent exploitation.

Edit server.xml to remove or comment out multipart configuration

Implement request size limits

all

Configure strict request size limits at the web server or load balancer level to prevent large uploads.

Configure maxPostSize parameter in Tomcat connector configuration

🧯 If You Can't Patch

Implement network-level controls to restrict access to Tomcat management interfaces
Deploy WAF rules to detect and block suspicious multipart upload patterns

🔍 How to Verify

Check if Vulnerable:

Check Tomcat version and multipart configuration in server.xml and web.xml files

Check Version:

java -cp "$CATALINA_HOME/lib/catalina.jar" org.apache.catalina.util.ServerInfo

Verify Fix Applied:

Verify Tomcat version is 11.0.9, 10.1.43, 9.0.107 or higher using version check command

📡 Detection & Monitoring

Log Indicators:

Unusually large multipart upload requests
Request size limit exceeded errors
OutOfMemory errors in Tomcat logs

Network Indicators:

Large HTTP POST requests to Tomcat endpoints
Multiple rapid multipart upload attempts

SIEM Query:

source="tomcat" AND ("multipart" OR "upload") AND size>1000000

📊 Metadata

CVE ID: CVE-2025-52520

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-190

EPSS Score: 0.12% exploit probability (31.2th percentile)

Published: July 10, 2025

Last Updated: November 4, 2025

🔗 References

https://lists.apache.org/thread/trqq01bbxw6c92zx69kx2mw2qgmfy0o5 Issue Tracking,Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/07/10/12
https://lists.debian.org/debian-lts-announce/2025/07/msg00009.html

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-52520, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Tomcat by Apache

Tomcat by Apache

Tomcat by Apache

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable multipart upload

Implement request size limits

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities