(8 votes, average: 5.00 out of 5)
Loading...Tomcat Flaws Expose Servers to DoS, Auth Bypass & Privilege Escalation
(8 votes, average: 5.00 out of 5)Loading...
The most prevalent Java servlet container, Apache Tomcat, is present in most enterprise and cloud-based web applications. Because of its agile, open-source framework, Apache Tomcat is prevalent in many fields of technology.
However, widespread adoption also carries widespread risk.
In June 2025, the Apache Software Foundation reported 4 critical vulnerabilities across Tomcat 9.0, 10.1, and 11.0.
The vulnerabilities represent: Denial-of-Service (DoS), Authentication bypass, Windows privilege escalation, Security constraint violations
Millions of systems, still operating on unpatched versions of Tomcat, are at risk of attack.
This article looks into each of the vulnerabilities, provides an overview of the impact, and explains how you can reduce the security risk on your systems. The final part of the article gives you security patching/resource allocation, and configuration practices to help secure your deployment.
Summary of Flaws
| CVE ID | Severity | Risk | Affected Versions |
| CVE-2025-48976 | Important | DoS via multipart header overload | 9.0.0.M1–9.0.105, 10.1.0–10.1.41, 11.0.0-M1–11.0.7 |
| CVE-2025-48988 | Important | DoS via multipart upload abuse | 9.0.0.M1–9.0.105, 10.1.0–10.1.41, 11.0.0-M1–11.0.7 |
| CVE-2025-49124 | Low | Windows installer side-loading | 9.0.23–9.0.105, 10.1.0–10.1.41, 11.0.0-M1–11.0.7 |
| CVE-2025-49125 | Moderate | Auth bypass via Pre/PostResources | 9.0.23–9.0.105, 10.1.0–10.1.41, 11.0.0-M1–11.0.7 |
CVE-2025-48976 – Multipart Header Memory Exhaustion
Nature of the Flaw
This vulnerability arises from Apache Commons FileUpload. Tomcat, specifically the FileUpload module, is a widely adopted way of processing file uploads over multipart/form-data.
Problem
The system had a hard-coded restriction of 10kB on each multipart header before the patch. Attackers could:
- Send thousands of parts per request
- Force the server to allocate memory for each 10kB header
Real-World Example
- 1,000 parts x 10kB header = 10MB of allocated memory
- Thousands of requests = Gigabytes of allocated memory
- Result: OutOfMemoryError → server crash
Solution
- ASF added a configurable parameter: maxPartHeaderSize(default 512 bytes)
Impact
- Will prevent excessive memory allocation
- Gives flexibility to administrators
- Lowers the probability of memory DoS
CVE-2025-48988 – Multipart Upload Resource Exhaustion
Nature of the Flaw
The vulnerability existed in the Tomcat handling of multipart parts in a file upload.
Problem
- Tomcat recognized multipart “parts” like any other request parameter.
- Multipart parts are heavier. They include: Binary file data and Headers that are retained in memory
- Tomcat used a single limit for both.
Exploitation
- Attacker sends a multipart request with:
- 10,000 parts
- Each part’s header uses 500 bytes
- The server allocates ~5MB per request
- The attacker sends many requests simultaneously
Result:
Server memory exhaustion and crash
Solution
- The ASF added maxPartCount parameter
- Default: 10 parts
- Allows administrators to customize file upload handling
CVE-2025-49124 – Windows Installer Side-Loading
Nature of the Flaw
A low-risk, but dangerous vulnerability on Windows systems.
Problem
- Tomcat installer invoked icacls.exe (used to modify file permissions)
- It didn’t specify the full path (e.g., C:\Windows\System32\icacls.exe)
- Relied on system PATH variable
Exploitation
- Attacker places a fake icacls.exe earlier in the PATH
- The installer unknowingly executes the attacker’s malicious file
Possible Outcomes:
- Privilege escalationMalicious services installed
- Persistence mechanisms embedded
Solution
- Installer now uses full, absolute path to icacls.exe
- Prevents PATH manipulation attacks
CVE-2025-49125 – Pre/PostResources Auth Bypass
Nature of the Flaw
This moderate-severity flaw targets advanced Tomcat deployments using resource overlays.
Problem
- Tomcat allows mounting of additional resources (PreResources/PostResources) outside the app root
- These resources should be protected by the same security policies
- Path normalization wasn’t enforced
- Attackers could request files using alternative paths
Exploitation
Use of unexpected path variants allowed:
- Bypassing authentication rules
- Gaining access to protected static content or files
Solution
- Patch enforces path normalization
- Ensures consistent security policy enforcement for all resource paths
How These Attacks Work in Practice?
Denial-of-Service (DoS)
Attackers target memory allocation:
- Send multiple large or complex multipart requests
- Each request consumes significant memory
- Servers crash or become unresponsive
Authentication Bypass
- By manipulating paths, attackers can:
- Access restricted areas
- Download sensitive resources
- Avoid user verification steps
Installer Abuse
- Used in targeted attacks
- Threat actors compromise Windows environments
- Side-load malicious binaries during installation
Technical Exploitation Flow
| Attack Stage | Description | Target Component |
| Reconnaissance | Identify vulnerable Tomcat version | Web Application |
| Exploit Delivery | Send multipart or crafted path requests | Connector / FileUpload |
| Resource Impact | Exhaust memory / bypass controls | JVM / Auth Modules |
| Outcome | Server crash, auth bypass, persistence | Entire Host System |
Recommended Actions
1. Upgrade Immediately
| Version Branch | Upgrade To |
| Tomcat 9.0.x | 9.0.106 |
| Tomcat 10.1.x | 10.1.42 |
| Tomcat 11.0.x | 11.0.8 |
2. Apply Configuration Hardening
In server.xml, within the <Connector> tag:
<Connector
…
maxPartHeaderSize="512"
maxPartCount="10"
/>3. Validate PATH Settings (Windows)
- Ensure no untrusted executables reside in any directory listed in the PATH environment variable.
- Verify file access rights for installers.
4. Review Pre/Post Resources Configuration
- Avoid mounting resources outside the root unless essential.
- Apply strict access controls and test for path bypasses.
Conclusion
The recent Apache Tomcat vulnerabilities—ranging from denial-of-service (DoS) risks to authentication bypass and installer abuse—underscore the critical need for proactive system security.
These flaws, affecting versions 9.0, 10.1, and 11.0, could be exploited to crash servers, bypass security controls, or introduce malicious executables during installation.
Fortunately, the Apache Software Foundation has responded swiftly with patches and configuration options that offer immediate protection.
To strengthen your defense beyond patching, consider using a dedicated security solution like SiteLock. It offers real-time website scanning, daily vulnerability detection, and active protection against threats such as DDoS attacks, malware, SQL injection, and authentication bypass.
