CVE-2025-48988

NameCVE-2025-48988
DescriptionAllocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1108116, 1108117

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tomcat10 (PTS)bookworm, bookworm (security)10.1.34-0+deb12u2vulnerable
sid, trixie10.1.40-1vulnerable
tomcat11 (PTS)sid, trixie11.0.6-1vulnerable
tomcat9 (PTS)bullseye9.0.43-2~deb11u10vulnerable
bullseye (security)9.0.43-2~deb11u12vulnerable
bookworm9.0.70-2fixed
sid, trixie9.0.95-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tomcat10source(unstable)(unfixed)1108117
tomcat11source(unstable)(unfixed)1108116
tomcat9source(unstable)9.0.70-2

Notes

Starting with 9.0.70-2 src:tomcat9 no longer ships the server stack, using that as the fixed version
https://lists.apache.org/thread/nzkqsok8t42qofgqfmck536mtyzygp18
https://github.com/apache/tomcat/commit/2b0ab14fb55d4edc896e5f1817f2ab76f714ae5e (11.0.8)
https://github.com/apache/tomcat/commit/cdde8e655bc1c5c60a07efd216251d77c52fd7f6 (10.1.42)
https://github.com/apache/tomcat/commit/ee8042ffce4cb9324dfd79efda5984f37bbb6910 (9.0.106)

Search for package or bug name: Reporting problems