CVE-2025-61795: Tomcat Vulnerability & Remediation

by Alex Johnson 51 views

This article discusses the CVE-2025-61795, a medium-severity vulnerability detected in tomcat-embed-core-10.1.20.jar. This vulnerability affects Apache Tomcat versions and requires immediate attention to prevent potential Denial of Service (DoS) attacks. We will cover the vulnerability details, its impact, and the suggested fixes to help you secure your applications.

Vulnerable Library: tomcat-embed-core-10.1.20.jar

Core Tomcat Implementation

The tomcat-embed-core-10.1.20.jar library is a core component of the Apache Tomcat server, responsible for handling various functionalities. It's crucial to understand the specifics of this library to address the identified vulnerability effectively. The library is found within the Spring Boot Starter Tomcat dependency, making applications using Spring Boot potentially vulnerable.

  • Library Home Page: https://tomcat.apache.org/
  • Path to Dependency File: /secretsForGH/pom.xml
  • Path to Vulnerable Library: /secretsForGH/pom.xml

Dependency Hierarchy:

The vulnerability exists within a nested dependency. The chain of dependencies leading to the vulnerable library is as follows:

  1. spring-boot-starter-web-3.2.5.jar (Root Library)
  2. spring-boot-starter-tomcat-3.2.5.jar
  3. tomcat-embed-core-10.1.20.jar (Vulnerable Library)

Location in Repository

Vulnerability Details

The CVE-2025-61795 vulnerability is categorized as an Improper Resource Shutdown or Release issue. This flaw can lead to a Denial of Service (DoS) attack. Let's delve into the specifics of the vulnerability and its potential impact.

Description

During the processing of multipart uploads in Apache Tomcat, if an error occurs (including exceeding limits), temporary copies of the uploaded parts written to disc are not immediately cleaned up. Instead, they are left for the garbage collection (GC) process to delete. The crux of the problem lies in the timing and resource management.

Depending on JVM settings, application memory usage, and overall application load, the space for these temporary copies can fill up faster than the garbage collector can clear it. This scenario leads to a DoS condition, where the system becomes unresponsive due to resource exhaustion.

Affected Versions

This vulnerability affects Apache Tomcat versions:

  • 11.0.0-M1 through 11.0.11
  • 10.1.0-M1 through 10.1.46
  • 9.0.0.M1 through 9.0.109
  • EOL versions 8.5.0 through 8.5.100 and potentially older EOL versions.

Impact

The primary impact of this vulnerability is a Denial of Service (DoS). An attacker can exploit this flaw by triggering multipart upload errors, causing temporary files to accumulate and exhaust disk space. This can lead to the Tomcat server becoming unresponsive, disrupting services for legitimate users.

Publication Details

CVSS 3.0 Score Details (5.3 - Medium)

The Common Vulnerability Scoring System (CVSS) provides a standardized way to assess the severity of vulnerabilities. The CVE-2025-61795 vulnerability has a CVSS 3.0 score of 5.3, indicating a medium severity.

Base Score Metrics

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

Understanding the Score

The CVSS score reflects the ease of exploitation and the potential impact on the system. In this case, the attack vector is over the network, meaning it can be exploited remotely. However, the attack complexity is high, suggesting that successful exploitation requires specific conditions or attacker expertise. The requirement of low privileges indicates that an attacker with minimal access can trigger the vulnerability. The high impact on availability confirms the potential for a DoS attack.

For more detailed information on CVSS3 Scores, refer to the FIRST CVSS Calculator.

Suggested Fix

To mitigate the CVE-2025-61795 vulnerability, it is highly recommended to upgrade your Apache Tomcat version to a patched release. The following versions address this issue:

Upgrade Recommendations

  • Upgrade to version 11.0.12 or later.
  • Upgrade to version 10.1.47 or later.
  • Upgrade to version 9.0.110 or later.

Fix Details

  • Type: Upgrade version
  • Origin: Apache Tomcat Security Announcement
  • Release Date: 2025-10-27
  • Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.47
  • Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.4.11

Steps to Apply the Fix

  1. Update Dependencies: Modify your project's pom.xml file (or equivalent dependency management file) to update the version of org.springframework.boot:spring-boot-starter-web to 3.4.11 or later. This will transitively update the tomcat-embed-core dependency.
  2. Verify the Update: After updating the dependencies, verify that the tomcat-embed-core version has been updated to 10.1.47 or later. You can check this by inspecting the dependency tree of your project.
  3. Test Thoroughly: After applying the fix, perform thorough testing to ensure that the application functions as expected and that the vulnerability has been effectively mitigated.

Remediation Checklist

To ensure complete remediation, consider the following checklist:

  • [ ] Check this box to open an automated fix PR (if available).
  • [ ] Update the spring-boot-starter-web dependency to version 3.4.11 or later.
  • [ ] Verify the tomcat-embed-core version is 10.1.47 or later.
  • [ ] Perform thorough testing of the application.
  • [ ] Monitor the application for any unexpected behavior.

Conclusion

The CVE-2025-61795 vulnerability in tomcat-embed-core-10.1.20.jar poses a risk of Denial of Service (DoS) attacks. By understanding the vulnerability details, its impact, and the suggested fixes, you can take proactive steps to secure your applications. Upgrading to the recommended versions of Apache Tomcat and Spring Boot is crucial to mitigate this risk. Remember to perform thorough testing after applying the fix to ensure that the application functions as expected.

For further reading on Apache Tomcat security and updates, you can visit the Apache Tomcat Security Page.