oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2025-48989: Apache Tomcat: h2 DoS - Made You Reset

From: Mark Thomas <markt () apache org>
Date: Wed, 13 Aug 2025 13:40:58 +0100
Severity: important

Affected versions:

- Apache Tomcat 11.0.0-M1 through 11.0.9
- Apache Tomcat 10.1.0-M1 through 10.1.43
- Apache Tomcat 9.0.0.M1 through 9.0.107
- Apache Tomcat 8.5.0 through 8.5.100 unknown

Description:
Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected.
Users are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue. 

Credit:
Gal Bar Nahum, Anat Bremler-Barr, and Yaniv Harel of Tel Aviv University (finder) 

References:

https://lists.apache.org/thread/9ydfg0xr0tchmglcprhxgwhj0hfwxlyf
https://tomcat.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-48989
Previous By Date Next
Previous By Thread Next

Current thread: