Improper Resource Shutdown Vulnerability in Apache Tomcat by Apache
CVE-2025-61795

5.3MEDIUM

Key Information:

Vendor: Apache
Status: Apache Tomcat
Vendor: CVE Published:; 27 October 2025

What is CVE-2025-61795?

An improper resource shutdown vulnerability exists in Apache Tomcat that may compromise system stability. When an error occurs during a multipart upload—such as exceeding limits—temporary copies of the uploaded files are not immediately deleted. This oversight means that if the Java Virtual Machine (JVM) settings, application memory usage, and load conditions are unfavorable, the space allocated for these temporary files might get filled faster than the garbage collection process can clear it, potentially resulting in a Denial of Service (DoS) situation. To mitigate this issue, users should upgrade to version 11.0.12 or later, 10.1.47 or later, or 9.0.110 or later.

Affected Version(s)

Apache Tomcat 11.0.0-M1 <= 11.0.11

Apache Tomcat 10.1.0-M1 <= 10.1.46

Apache Tomcat 9.0.0.M1 <= 9.0.109

References

https://lists.apache.org/thread/wm9mx8brmx9g4zpywm06ryrtv...

vendor-advisory

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 27, 2025
Vulnerability Reserved
Oct 1, 2025

Credit

sw0rd1ight (https://github.com/sw0rd1ight)

JSON