CVE-2025-48976

Name of the Vulnerable Software and Affected Versions Apache Commons FileUpload versions 1.0 through 1.5 Apache Commons FileUpload versions 2.0.0-M1 through 2.0.0-M3

Description The issue is related to the allocation of resources for multipart headers with insufficient limits, which enables a Denial of Service (DoS) vulnerability in Apache Commons FileUpload. A specially crafted request that uses a large number of parts with large headers could trigger excessive memory usage leading to a DoS. The limit for the size of the headers associated with a multipart request is now configurable with a default of 512 bytes.

Recommendations For Apache Commons FileUpload versions 1.0 through 1.5, upgrade to version 1.6. For Apache Commons FileUpload versions 2.0.0-M1 through 2.0.0-M3, upgrade to version 2.0.0-M4. As a temporary workaround, consider configuring the maxPartHeaderSize on the Connector to a suitable value to minimize the risk of exploitation.