CVE-2025-48989

NameCVE-2025-48989
DescriptionImproper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected. Users are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1111096, 1111097

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tomcat10 (PTS)bookworm, bookworm (security)10.1.34-0+deb12u2vulnerable
forky, sid, trixie10.1.40-1vulnerable
tomcat11 (PTS)forky, sid, trixie11.0.6-1vulnerable
tomcat9 (PTS)bullseye9.0.43-2~deb11u10vulnerable
bullseye (security)9.0.107-0+deb11u1fixed
bookworm9.0.70-2fixed
forky, sid, trixie9.0.95-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tomcat10source(unstable)(unfixed)1111096
tomcat11source(unstable)(unfixed)1111097
tomcat9source(unstable)9.0.70-2

Notes

Starting with 9.0.70-2 src:tomcat9 no longer ships the server stack, using that as the fixed version
https://github.com/apache/tomcat/commit/f362c8eb3b8ec5b7f312f7f5610731c0fb299a06 (11.0.10)
https://github.com/apache/tomcat/commit/73c04a10395774bda71a0b37802cf983662ce255 (10.1.44)
https://github.com/apache/tomcat/commit/f36b8a4eea4ce8a0bc035079e1d259d29f5eb7bf (9.0.108)

Search for package or bug name: Reporting problems