PT-2025-44001 · Apache+3 · Apache Tomcat+3

Sw0Rd1Ight

·

Published

2025-10-07

·

Updated

2026-06-02

·

CVE-2025-61795

CVSS v3.1

5.3

Medium

VectorAV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 8.5.0 through 8.5.100 Apache Tomcat versions 9.0.0.M1 through 9.0.109 Apache Tomcat versions 10.1.0-M1 through 10.1.46 Apache Tomcat versions 11.0.0-M1 through 11.0.11
Description An improper resource shutdown or release issue exists in Apache Tomcat. During a multipart upload, if an error occurs (including exceeding limits), temporary copies of the uploaded parts written to disc were not immediately cleaned up. These copies were left for garbage collection. Depending on JVM settings, application memory usage, and application load, the space for these temporary copies could be filled faster than garbage collection could clear it, potentially leading to a denial-of-service (DoS) condition.
Recommendations Upgrade to Apache Tomcat version 11.0.12 or later. Upgrade to Apache Tomcat version 10.1.47 or later. Upgrade to Apache Tomcat version 9.0.110 or later.

Fix

DoS

Improper Resource Release

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-404

Related Identifiers

ALSA-2025:23050
BDU:2025-13926
BIT-TOMCAT-2025-61795
CVE-2025-61795
GHSA-HGRR-935X-PQ79
MGASA-2025-0250
OESA-2025-2559
OESA-2025-2560
OESA-2025-2561
OESA-2025-2562
OESA-2025-2563
OESA-2025-2630
OPENSUSE-SU-2025:15716-1
OPENSUSE-SU-2025:15717-1
OPENSUSE-SU-2025:15718-1
OPENSUSE-SU-2025:20106-1
OPENSUSE-SU-2026:20034-1
OPENSUSE-SU-2026:20444-1
RHSA-2025:19809
RHSA-2026:6569
RHSA-2026:8334
SUSE-SU-2025:21152-1
SUSE-SU-2025:4086-1
SUSE-SU-2025:4103-1
SUSE-SU-2025:4159-1
SUSE-SU-2025:4184-1
SUSE-SU-2026:1058-1
SUSE-SU-2026:20084-1
SUSE-SU-2026:20982-1

Affected Products

Apache Tomcat
Debian
Red Os
Suse