CVE-2025-48976

Name	CVE-2025-48976
Description	Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	1108118, 1108119, 1108120

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
libcommons-fileupload-java (PTS)	bullseye	1.4-1	vulnerable
	bookworm	1.4-2	vulnerable
	trixie, sid	1.5-1.1	vulnerable
tomcat10 (PTS)	bookworm, bookworm (security)	10.1.34-0+deb12u2	vulnerable
	trixie, sid	10.1.40-1	vulnerable
tomcat11 (PTS)	trixie, sid	11.0.6-1	vulnerable
tomcat9 (PTS)	bullseye	9.0.43-2~deb11u10	vulnerable
	bullseye (security)	9.0.43-2~deb11u12	vulnerable
	bookworm	9.0.70-2	fixed
	trixie, sid	9.0.95-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Debian Bugs
libcommons-fileupload-java	source	(unstable)	(unfixed)	1108120
tomcat10	source	(unstable)	(unfixed)	1108119
tomcat11	source	(unstable)	(unfixed)	1108118
tomcat9	source	(unstable)	9.0.70-2

Notes

[bookworm] - libcommons-fileupload-java <no-dsa> (Minor issue)
Starting with 9.0.70-2 src:tomcat9 no longer ships the server stack, using that as the fixed version
https://lists.apache.org/thread/fbs3wrr3p67vkjcxogqqqqz45pqtso12
https://github.com/apache/tomcat/commit/74f69ffaf61e54c727603e7e831fe20f0ac5d2a7 (11.0.8)
https://github.com/apache/tomcat/commit/667ddd76e2a0e762f3a784d86f0d25e7fd7cdb86 (10.1.42)
https://github.com/apache/tomcat/commit/97790a35a27d236fa053e660676c3f8196284d93 (9.0.106)
https://github.com/apache/commons-fileupload/commit/2108495a4775910b8559f18ed5a779d60542ee96 (commons-fileupload-1.6.0-RC1)