Improper Resource Shutdown Vulnerability in Apache Tomcat by Apache
CVE-2025-48989
What is CVE-2025-48989?
CVE-2025-48989 is an improper resource shutdown vulnerability identified in Apache Tomcat, a widely used open-source implementation of the Java Servlet, JavaServer Pages, and Java Expression Language technologies. This vulnerability arises when Apache Tomcat fails to properly handle the shutdown or release of resources, specifically leaving them in an improper state. This can expose applications built on Tomcat to various attacks, including potential denial of service and data leakage, thereby compromising the integrity and availability of critical business web applications. The issue affects multiple versions of Apache Tomcat, indicating a broad range of installations that could be vulnerable, particularly those not yet updated to the patched versions.
Potential impact of CVE-2025-48989
-
Denial of Service (DoS): The improper resource management can potentially allow an attacker to prevent access to the services hosted on the Tomcat server, leading to downtime and disruption for users relying on the applications.
-
Data Exposure: If resources are not correctly released, sensitive data may remain accessible, allowing unauthorized users to exploit this vulnerability for data breaches, which can have severe ramifications for organizational confidentiality.
-
System Compromise: Attackers could leverage this vulnerability to execute further attacks on the application server or the underlying infrastructure, potentially spreading to other connected systems and amplifying the impact of the initial breach.
Affected Version(s)
Apache Tomcat 11.0.0-M1 <= 11.0.9
Apache Tomcat 10.1.0-M1 <= 10.1.43
Apache Tomcat 9.0.0.M1 <= 9.0.107
References
CVSS V3.1
Timeline
Vulnerability published
Vulnerability Reserved