Vulnerability DatabaseCVE-2025-61795
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2025-61795
October 27, 2025
Improper Resource Shutdown or Release vulnerability in Apache Tomcat. If an error occurred (including exceeding limits) during the processing of a multipart upload, temporary copies of the uploaded parts written to disc were not cleaned up immediately but left for the garbage collection process to delete. Depending on JVM settings, application memory usage and application load, it was possible that space for the temporary copies of uploaded parts would be filled faster than GC cleared it, leading to a DoS. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.11, from 10.1.0-M1 through 10.1.46, from 9.0.0.M1 through 9.0.109. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.12 or later, 10.1.47 or later or 9.0.110 or later which fixes the issue.
Affected Packages
org.apache.tomcat:tomcat (JAVA):
Affected version(s) >=11.0.0-M1 <11.0.12
Fix Suggestion:
Update to version 11.0.12
org.apache.tomcat.embed:tomcat-embed-core (JAVA):
Affected version(s) >=9.0.1 <9.0.110
Fix Suggestion:
Update to version 9.0.110
org.apache.tomcat.embed:tomcat-embed-core (JAVA):
Affected version(s) >=9.0.0.M1 <9.0.110
Fix Suggestion:
Update to version 9.0.110
org.apache.tomcat.embed:tomcat-embed-core (JAVA):
Affected version(s) >=11.0.0-M1 <11.0.12
Fix Suggestion:
Update to version 11.0.12
org.apache.tomcat:tomcat-catalina (JAVA):
Affected version(s) >=10.1.0-M1 <10.1.47
Fix Suggestion:
Update to version 10.1.47
org.apache.tomcat:tomcat-catalina (JAVA):
Affected version(s) >=9.0.0.M1 <9.0.110
Fix Suggestion:
Update to version 9.0.110
org.apache.tomcat:tomcat (JAVA):
Affected version(s) >=9.0.1 <9.0.110
Fix Suggestion:
Update to version 9.0.110
org.apache.tomcat:tomcat-catalina (JAVA):
Affected version(s) >=9.0.1 <9.0.110
Fix Suggestion:
Update to version 9.0.110
org.apache.tomcat:tomcat-catalina (JAVA):
Affected version(s) >=11.0.0-M1 <11.0.12
Fix Suggestion:
Update to version 11.0.12
Related Resources (10)
https://github.com/apache/tomcat/commit/1cdf5f730ede75a0759492f179ac21ca4ff68e06
http://www.openwall.com/lists/oss-security/2025/10/27/6
https://github.com/apache/tomcat/commit/afa422bd7ca1eef0f507259c682fd876494d9c3b
https://github.com/apache/tomcat
https://lists.apache.org/thread/wm9mx8brmx9g4zpywm06ryrtvd3160pp
https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.12
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.110
https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.47
https://nvd.nist.gov/vuln/detail/CVE-2025-61795
https://github.com/apache/tomcat/commit/af6e9181620304c0d818121c29c074e1330610d0
Do you need more information?
Contact Us
CVSS v4
Base Score:
2.3
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
Exploit Maturity
UNREPORTED
CVSS v3
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
NONE
Availability
HIGH
Weakness Type (CWE)
Improper Resource Shutdown or Release
CWE-404
EPSS
Base Score:
0.11