{"id":"UBUNTU-CVE-2025-48976","details":"Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.","modified":"2026-06-03T17:45:46.120656357Z","published":"2025-06-16T15:15:00Z","upstream":["CVE-2025-48976"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-48976"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2025-48976"},{"type":"REPORT","url":"https://lists.apache.org/thread/fbs3wrr3p67vkjcxogqqqqz45pqtso12"},{"type":"REPORT","url":"https://github.com/apache/tomcat/commit/74f69ffaf61e54c727603e7e831fe20f0ac5d2a7"},{"type":"REPORT","url":"https://github.com/apache/tomcat/commit/667ddd76e2a0e762f3a784d86f0d25e7fd7cdb86"},{"type":"REPORT","url":"https://github.com/apache/tomcat/commit/97790a35a27d236fa053e660676c3f8196284d93"},{"type":"REPORT","url":"https://github.com/apache/commons-fileupload/commit/2108495a4775910b8559f18ed5a779d60542ee96"},{"type":"REPORT","url":"http://www.openwall.com/lists/oss-security/2025/06/16/4"}],"affected":[{"package":{"name":"tomcat6","ecosystem":"Ubuntu:Pro:14.04:LTS","purl":"pkg:deb/ubuntu/tomcat6?arch=source&distro=esm-infra-legacy%2Ftrusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["6.0.37-1","6.0.39-1","6.0.39-1ubuntu0.1","6.0.39-1ubuntu0.1+esm1","6.0.39-1ubuntu0.1+esm2"],"ecosystem_specific":{"binaries":[{"binary_version":"6.0.39-1ubuntu0.1+esm2","binary_name":"libservlet2.4-java"},{"binary_version":"6.0.39-1ubuntu0.1+esm2","binary_name":"libservlet2.5-java"},{"binary_version":"6.0.39-1ubuntu0.1+esm2","binary_name":"libtomcat6-java"},{"binary_version":"6.0.39-1ubuntu0.1+esm2","binary_name":"tomcat6"},{"binary_version":"6.0.39-1ubuntu0.1+esm2","binary_name":"tomcat6-admin"},{"binary_version":"6.0.39-1ubuntu0.1+esm2","binary_name":"tomcat6-common"},{"binary_version":"6.0.39-1ubuntu0.1+esm2","binary_name":"tomcat6-docs"},{"binary_version":"6.0.39-1ubuntu0.1+esm2","binary_name":"tomcat6-examples"},{"binary_version":"6.0.39-1ubuntu0.1+esm2","binary_name":"tomcat6-extras"},{"binary_version":"6.0.39-1ubuntu0.1+esm2","binary_name":"tomcat6-user"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-48976.json"}},{"package":{"name":"libcommons-fileupload-java","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/libcommons-fileupload-java?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.3.1-1","1.3.1-2","1.3.1-2ubuntu0.1"],"ecosystem_specific":{"binaries":[{"binary_version":"1.3.1-2ubuntu0.1","binary_name":"libcommons-fileupload-java"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-48976.json"}},{"package":{"name":"libcommons-fileupload-java","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/libcommons-fileupload-java?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.3.3-1"],"ecosystem_specific":{"binaries":[{"binary_version":"1.3.3-1","binary_name":"libcommons-fileupload-java"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-48976.json"}},{"package":{"name":"tomcat9","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/tomcat9?arch=source&distro=esm-apps%2Fbionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["9.0.16-3~18.04.1","9.0.16-3ubuntu0.18.04.1","9.0.16-3ubuntu0.18.04.2","9.0.16-3ubuntu0.18.04.2+esm1","9.0.16-3ubuntu0.18.04.2+esm2","9.0.16-3ubuntu0.18.04.2+esm3","9.0.16-3ubuntu0.18.04.2+esm4","9.0.16-3ubuntu0.18.04.2+esm5","9.0.16-3ubuntu0.18.04.2+esm6","9.0.16-3ubuntu0.18.04.2+esm7"],"ecosystem_specific":{"binaries":[{"binary_version":"9.0.16-3ubuntu0.18.04.2+esm7","binary_name":"libtomcat9-embed-java"},{"binary_version":"9.0.16-3ubuntu0.18.04.2+esm7","binary_name":"libtomcat9-java"},{"binary_version":"9.0.16-3ubuntu0.18.04.2+esm7","binary_name":"tomcat9"},{"binary_version":"9.0.16-3ubuntu0.18.04.2+esm7","binary_name":"tomcat9-admin"},{"binary_version":"9.0.16-3ubuntu0.18.04.2+esm7","binary_name":"tomcat9-common"},{"binary_version":"9.0.16-3ubuntu0.18.04.2+esm7","binary_name":"tomcat9-docs"},{"binary_version":"9.0.16-3ubuntu0.18.04.2+esm7","binary_name":"tomcat9-examples"},{"binary_version":"9.0.16-3ubuntu0.18.04.2+esm7","binary_name":"tomcat9-user"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-48976.json"}},{"package":{"name":"libcommons-fileupload-java","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/libcommons-fileupload-java?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.3.3-1","1.4-1"],"ecosystem_specific":{"binaries":[{"binary_version":"1.4-1","binary_name":"libcommons-fileupload-java"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-48976.json"}},{"package":{"name":"tomcat9","ecosystem":"Ubuntu:Pro:20.04:LTS","purl":"pkg:deb/ubuntu/tomcat9?arch=source&distro=esm-apps%2Ffocal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["9.0.24-1","9.0.27-1","9.0.31-1","9.0.31-1ubuntu0.1","9.0.31-1ubuntu0.2","9.0.31-1ubuntu0.3","9.0.31-1ubuntu0.4","9.0.31-1ubuntu0.5","9.0.31-1ubuntu0.6","9.0.31-1ubuntu0.7","9.0.31-1ubuntu0.8","9.0.31-1ubuntu0.9","9.0.31-1ubuntu0.9+esm1","9.0.31-1ubuntu0.9+esm2"],"ecosystem_specific":{"binaries":[{"binary_version":"9.0.31-1ubuntu0.9+esm2","binary_name":"libtomcat9-embed-java"},{"binary_version":"9.0.31-1ubuntu0.9+esm2","binary_name":"libtomcat9-java"},{"binary_version":"9.0.31-1ubuntu0.9+esm2","binary_name":"tomcat9"},{"binary_version":"9.0.31-1ubuntu0.9+esm2","binary_name":"tomcat9-admin"},{"binary_version":"9.0.31-1ubuntu0.9+esm2","binary_name":"tomcat9-common"},{"binary_version":"9.0.31-1ubuntu0.9+esm2","binary_name":"tomcat9-docs"},{"binary_version":"9.0.31-1ubuntu0.9+esm2","binary_name":"tomcat9-examples"},{"binary_version":"9.0.31-1ubuntu0.9+esm2","binary_name":"tomcat9-user"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-48976.json"}},{"package":{"name":"libcommons-fileupload-java","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/libcommons-fileupload-java?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.4-1"],"ecosystem_specific":{"binaries":[{"binary_version":"1.4-1","binary_name":"libcommons-fileupload-java"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-48976.json"}},{"package":{"name":"tomcat9","ecosystem":"Ubuntu:Pro:22.04:LTS","purl":"pkg:deb/ubuntu/tomcat9?arch=source&distro=esm-apps%2Fjammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["9.0.43-3","9.0.54-1","9.0.55-1","9.0.58-1","9.0.58-1ubuntu0.1","9.0.58-1ubuntu0.1+esm1","9.0.58-1ubuntu0.1+esm2","9.0.58-1ubuntu0.1+esm3","9.0.58-1ubuntu0.1+esm4","9.0.58-1ubuntu0.2","9.0.58-1ubuntu0.2+esm1","9.0.58-1ubuntu0.2+esm2","9.0.58-1ubuntu0.2+esm3"],"ecosystem_specific":{"binaries":[{"binary_version":"9.0.58-1ubuntu0.2+esm3","binary_name":"libtomcat9-embed-java"},{"binary_version":"9.0.58-1ubuntu0.2+esm3","binary_name":"libtomcat9-java"},{"binary_version":"9.0.58-1ubuntu0.2+esm3","binary_name":"tomcat9"},{"binary_version":"9.0.58-1ubuntu0.2+esm3","binary_name":"tomcat9-admin"},{"binary_version":"9.0.58-1ubuntu0.2+esm3","binary_name":"tomcat9-common"},{"binary_version":"9.0.58-1ubuntu0.2+esm3","binary_name":"tomcat9-docs"},{"binary_version":"9.0.58-1ubuntu0.2+esm3","binary_name":"tomcat9-examples"},{"binary_version":"9.0.58-1ubuntu0.2+esm3","binary_name":"tomcat9-user"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-48976.json"}},{"package":{"name":"libcommons-fileupload-java","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/libcommons-fileupload-java?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.4-2","1.5-1"],"ecosystem_specific":{"binaries":[{"binary_version":"1.5-1","binary_name":"libcommons-fileupload-java"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-48976.json"}},{"package":{"name":"tomcat10","ecosystem":"Ubuntu:Pro:24.04:LTS","purl":"pkg:deb/ubuntu/tomcat10?arch=source&distro=esm-apps%2Fnoble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["10.1.10-1","10.1.14-1","10.1.15-1","10.1.16-1","10.1.16-1ubuntu0.1~esm1","10.1.16-1ubuntu0.1~esm2","10.1.16-1ubuntu0.1~esm3"],"ecosystem_specific":{"binaries":[{"binary_version":"10.1.16-1ubuntu0.1~esm3","binary_name":"libtomcat10-embed-java"},{"binary_version":"10.1.16-1ubuntu0.1~esm3","binary_name":"libtomcat10-java"},{"binary_version":"10.1.16-1ubuntu0.1~esm3","binary_name":"tomcat10"},{"binary_version":"10.1.16-1ubuntu0.1~esm3","binary_name":"tomcat10-admin"},{"binary_version":"10.1.16-1ubuntu0.1~esm3","binary_name":"tomcat10-common"},{"binary_version":"10.1.16-1ubuntu0.1~esm3","binary_name":"tomcat10-docs"},{"binary_version":"10.1.16-1ubuntu0.1~esm3","binary_name":"tomcat10-examples"},{"binary_version":"10.1.16-1ubuntu0.1~esm3","binary_name":"tomcat10-user"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-48976.json"}},{"package":{"name":"libcommons-fileupload-java","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/libcommons-fileupload-java?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.5-1","1.5-1.1"],"ecosystem_specific":{"binaries":[{"binary_version":"1.5-1.1","binary_name":"libcommons-fileupload-java"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-48976.json"}},{"package":{"name":"tomcat10","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/tomcat10?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["10.1.35-1","10.1.40-1","10.1.40-1ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_version":"10.1.40-1ubuntu1","binary_name":"libtomcat10-embed-java"},{"binary_version":"10.1.40-1ubuntu1","binary_name":"libtomcat10-java"},{"binary_version":"10.1.40-1ubuntu1","binary_name":"tomcat10"},{"binary_version":"10.1.40-1ubuntu1","binary_name":"tomcat10-admin"},{"binary_version":"10.1.40-1ubuntu1","binary_name":"tomcat10-common"},{"binary_version":"10.1.40-1ubuntu1","binary_name":"tomcat10-docs"},{"binary_version":"10.1.40-1ubuntu1","binary_name":"tomcat10-examples"},{"binary_version":"10.1.40-1ubuntu1","binary_name":"tomcat10-user"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-48976.json"}},{"package":{"name":"tomcat11","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/tomcat11?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["11.0.6-1"],"ecosystem_specific":{"binaries":[{"binary_version":"11.0.6-1","binary_name":"libtomcat11-embed-java"},{"binary_version":"11.0.6-1","binary_name":"libtomcat11-java"},{"binary_version":"11.0.6-1","binary_name":"tomcat11"},{"binary_version":"11.0.6-1","binary_name":"tomcat11-admin"},{"binary_version":"11.0.6-1","binary_name":"tomcat11-common"},{"binary_version":"11.0.6-1","binary_name":"tomcat11-docs"},{"binary_version":"11.0.6-1","binary_name":"tomcat11-examples"},{"binary_version":"11.0.6-1","binary_name":"tomcat11-user"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-48976.json"}},{"package":{"name":"libcommons-fileupload-java","ecosystem":"Ubuntu:26.04:LTS","purl":"pkg:deb/ubuntu/libcommons-fileupload-java?arch=source&distro=resolute"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.5-1.1"],"ecosystem_specific":{"binaries":[{"binary_version":"1.5-1.1","binary_name":"libcommons-fileupload-java"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-48976.json"}},{"package":{"name":"tomcat10","ecosystem":"Ubuntu:26.04:LTS","purl":"pkg:deb/ubuntu/tomcat10?arch=source&distro=resolute"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["10.1.40-1ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_version":"10.1.40-1ubuntu1","binary_name":"libtomcat10-embed-java"},{"binary_version":"10.1.40-1ubuntu1","binary_name":"libtomcat10-java"},{"binary_version":"10.1.40-1ubuntu1","binary_name":"tomcat10"},{"binary_version":"10.1.40-1ubuntu1","binary_name":"tomcat10-admin"},{"binary_version":"10.1.40-1ubuntu1","binary_name":"tomcat10-common"},{"binary_version":"10.1.40-1ubuntu1","binary_name":"tomcat10-docs"},{"binary_version":"10.1.40-1ubuntu1","binary_name":"tomcat10-examples"},{"binary_version":"10.1.40-1ubuntu1","binary_name":"tomcat10-user"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-48976.json"}},{"package":{"name":"tomcat11","ecosystem":"Ubuntu:26.04:LTS","purl":"pkg:deb/ubuntu/tomcat11?arch=source&distro=resolute"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["11.0.6-1","11.0.11-1","11.0.15-1","11.0.18-1"],"ecosystem_specific":{"binaries":[{"binary_version":"11.0.18-1","binary_name":"libtomcat11-embed-java"},{"binary_version":"11.0.18-1","binary_name":"libtomcat11-java"},{"binary_version":"11.0.18-1","binary_name":"tomcat11"},{"binary_version":"11.0.18-1","binary_name":"tomcat11-admin"},{"binary_version":"11.0.18-1","binary_name":"tomcat11-common"},{"binary_version":"11.0.18-1","binary_name":"tomcat11-docs"},{"binary_version":"11.0.18-1","binary_name":"tomcat11-examples"},{"binary_version":"11.0.18-1","binary_name":"tomcat11-user"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-48976.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]}