CVE-2025-61795: Tomcat Vulnerability & How To Fix It

This article delves into CVE-2025-61795, a medium-severity vulnerability detected within the tomcat-embed-core-10.1.20.jar library. We'll explore the specifics of the vulnerability, its potential impact, and, most importantly, the recommended steps to fix it. This information is crucial for anyone using Apache Tomcat, especially those who may be utilizing the affected versions.

The Core of the Problem: tomcat-embed-core-10.1.20.jar

At the heart of this issue lies tomcat-embed-core-10.1.20.jar, a critical component of the Apache Tomcat server. This JAR file provides the core implementation for embedding Tomcat within other applications. The vulnerability resides within the way Tomcat handles multipart uploads, specifically when errors occur during the processing of these uploads. When an error arises, temporary files created during the upload process are not immediately cleaned up. Instead, they're left for the garbage collection process, which can lead to a denial-of-service (DoS) condition.

This vulnerability is present in various Tomcat versions, from 11.0.0-M1 through 11.0.11, 10.1.0-M1 through 10.1.46, and 9.0.0.M1 through 9.0.109. Older, end-of-life versions, such as 8.5.0 through 8.5.100, are also potentially affected. Understanding the scope of the affected versions is the first step in determining the impact on your systems and the necessary actions to mitigate the risk. The dependency hierarchy reveals that tomcat-embed-core-10.1.20.jar is a direct dependency of spring-boot-starter-tomcat-3.2.5.jar, which in turn is a dependency of spring-boot-starter-web-3.2.5.jar. This information helps in understanding how the vulnerability is introduced into your application and how to best address it.

Dependency Hierarchy Deep Dive

Understanding the dependency hierarchy is critical for effective remediation. In this case, spring-boot-starter-web-3.2.5.jar is the root library. This package leverages spring-boot-starter-tomcat-3.2.5.jar, which encapsulates Tomcat. Within this dependency lies the vulnerable tomcat-embed-core-10.1.20.jar. Analyzing this structure provides the information needed to pinpoint the exact location where the vulnerability arises within the application. It highlights that an upgrade to the spring-boot-starter-web package is also needed to ensure that this vulnerability is properly addressed.

Vulnerability Details: Improper Resource Handling

The root cause of CVE-2025-61795 is an improper resource shutdown or release within Apache Tomcat. The vulnerability stems from how Tomcat manages temporary files during multipart uploads. If an issue arises during the processing of a multipart upload, such as exceeding upload limits or other errors, Tomcat creates temporary copies of the uploaded parts on disk. The problem is that these temporary files aren't immediately deleted, but are left for the garbage collection process. This can create a backlog of files and slow system performance.

Depending on the Java Virtual Machine (JVM) settings, the memory usage of the application, and the overall load on the application, the temporary files could accumulate faster than the garbage collector can remove them. This can quickly exhaust disk space, causing a denial-of-service (DoS) condition. This means the server may become unresponsive, leading to significant disruption of service. Therefore, it is important to understand the JVM configuration to better prepare for the proper response.

The Impact: Denial of Service (DoS)

The most significant impact of CVE-2025-61795 is the potential for a denial-of-service (DoS) attack. This can render the Tomcat server unavailable, preventing users from accessing the application. The severity of the impact depends on the application's criticality. For critical applications, this can result in significant financial loss and reputational damage. The exploitability metrics highlight that the attack vector is network-based, making it accessible from anywhere. The attack complexity is rated as high because the attacker needs specific conditions for the attack to be successful.

CVSS 3 Score and Severity

Assessing the severity of a vulnerability is crucial for prioritizing remediation efforts. CVE-2025-61795 has a CVSS 3 score of 5.3, classifying it as a medium-severity vulnerability. The base score metrics provide a breakdown of the vulnerability's characteristics. The attack vector is network-based, meaning it can be exploited remotely. The attack complexity is rated as high because it needs specific conditions. The impact metrics reveal that while confidentiality and integrity are not directly affected, the availability is significantly impacted, leading to the potential for a DoS. A high impact on availability is a critical factor in determining the urgency of the fix.

Understanding CVSS Metrics

The CVSS (Common Vulnerability Scoring System) score provides a standardized method for assessing vulnerability severity. The score is calculated based on various metrics, including attack vector, attack complexity, privileges required, user interaction, scope, confidentiality impact, integrity impact, and availability impact. The score helps prioritize vulnerabilities for remediation efforts. For CVE-2025-61795, the network attack vector indicates that the vulnerability can be exploited over a network. High attack complexity signifies that it may need specific conditions to be successfully exploited. The high availability impact highlights the risk of service disruption.

Suggested Fix: Upgrade to a Secure Version

The recommended solution to address CVE-2025-61795 is to upgrade to a patched version of Apache Tomcat. The suggested fix involves updating to version 11.0.12 or later, 10.1.47 or later, or 9.0.110 or later. These versions include the necessary fixes to prevent the improper handling of temporary files during multipart uploads. In addition to upgrading Tomcat, it's also important to consider updating the direct dependencies, such as upgrading org.springframework.boot:spring-boot-starter-web to version 3.4.11. Upgrading the direct dependencies will ensure that all libraries are protected from the vulnerability.

Step-by-Step Upgrade Guide

1. Identify Affected Versions: Start by identifying all instances of tomcat-embed-core-10.1.20.jar within your applications. Check your pom.xml or build.gradle files. Make sure to understand the dependencies and how the library is utilized. This will ensure that all instances of the vulnerability are addressed.
2. Backup: Before making any changes, back up your current application and configuration files. This will allow you to revert to the original state if needed.
3. Upgrade Tomcat: Upgrade Tomcat to the recommended version. Update the version number in your pom.xml file and rebuild your application. Ensure the dependencies are compatible with the latest version.
4. Update Dependencies: Update any dependent Spring Boot libraries to the recommended versions. This may require some testing to make sure everything works correctly.
5. Test: Thoroughly test your application after the upgrade to ensure that the fix has been successfully implemented and that no new issues have been introduced. Ensure that your application functions as expected and that there are no adverse effects.

Conclusion

CVE-2025-61795 is a serious vulnerability that can lead to a DoS attack. To protect your systems, upgrade your Apache Tomcat and direct dependencies to the versions with the fix. Prioritizing these upgrades is crucial for maintaining the availability and security of your applications. Regularly scan your dependencies for known vulnerabilities, and stay informed about the latest security advisories to ensure that your systems remain protected. By taking these steps, you can prevent the exploitation of this vulnerability and safeguard your Tomcat servers.

For more detailed information and the latest updates on this vulnerability, please refer to the official Apache Tomcat documentation and security advisories. The quick action and the understanding of the underlying issues are important to safeguard your systems.

For additional information, you can check the official Apache Tomcat website: https://tomcat.apache.org/