CVE
CVE-2025-48988
| CVE ID |
CVE-2025-48988
|
|---|---|
| CVSS Score |
7.5
|
| Operating System | |
| Affected Versions | |
| Patched Versions |
8.5.111-OL
|
| Patch Date |
|
| Last Updated Date | |
| Vector String |
Additional Information
Bug Fixes
Tomcat used the same limit for both request parameters and parts in a multipart request. Since uploaded parts also include headers which must be retained, processing multipart requests can result in significantly more memory usage. A specially crafted request that used a large number of parts could trigger excessive memory usage leading to a DoS. The maximum number of parts is now configurable (maxPartCount on the Connector) with a default of 10 parts.
New Configuration Options:
Tomcat now supports two new attributes on the <Connector> element to mitigate excessive memory usage from multipart requests:maxPartCount: Maximum number of parts allowed in a multipart/form-data request. Default: 50.maxPartHeaderSize: Maximum header size (in bytes) allowed per part. Default: 512.
Example Configuration:
Add the following to your server.xml Connector configuration:
<Connector port="8080"protocol="HTTP/1.1"maxPartCount="20"maxPartHeaderSize="1024" ... />
This example limits requests to 20 parts, with each part's headers limited to 1024 bytes.
Expected Error When Limits Are Exceeded:
If a request exceeds either limit, Tomcat will reject the request and respond with:
HTTP Status 500 – Internal Server Error
Org.apache.tomcat.util.http.fileupload.impl.FileCountLimitExceededException: attachment
or
HTTP Status 500 – Internal Server Error
org.apache.tomcat.util.http.fileupload.impl.FileUploadBase$FileUploadIOException: org.apache.tomcat.util.http.fileupload.impl.PartHeaderLimitExceededException: attachment
The error message will indicate whether the part count or header size limit was violated.