oss-sec mailing list archives

CVE-2025-48976: Apache Commons FileUpload, Apache Commons FileUpload: FileUpload DoS via part headers

From: "Gary D. Gregory" <ggregory () apache org>
Date: Mon, 16 Jun 2025 14:53:15 +0000

Severity: important 

Affected versions:

- Apache Commons FileUpload (commons-fileupload:commons-fileupload) 1.0 before 1.6
- Apache Commons FileUpload (org.apache.commons:commons-fileupload2) 2.0.0-M1 before 2.0.0-M4

Description:

Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons 
FileUpload.

This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4.

Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.

Credit:

TERASOLUNA Framework Security Team of NTT DATA Group Corporation (finder)

References:

https://commons.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-48976

Current thread:

CVE-2025-48976: Apache Commons FileUpload, Apache Commons FileUpload: FileUpload DoS via part headers Gary D. Gregory (Jun 16)