CVE-2025-48976

Aliases:GHSA-vv7r-c36w-3prj
Advisory lineage Upstream: 0 Downstream: 19
Modified
Published: 16 Jun 2025, 15:00
Last modified:03 Nov 2025, 20:05

Vulnerability Summary

Overall Risk (default)
medium
30/100
CVSS Score
7.5 HIGH
v3.1 (cve.org)
EPSS Score
1.28% LOW
1% probability +1.08%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

16 Jun 2025, 15:00
Published
Vulnerability first disclosed
03 Nov 2025, 20:05
Last Modified
Vulnerability information updated

Description

Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.

CVSS Metrics

  • v4.0HIGHScore: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
  • v3.1HIGHScore: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 1.28% Percentile: 80%

Techniques & Countermeasures

  • CWE-770Allocation of Resources Without Limits or Throttling

    The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Affected Systems

  • apache software foundationapache commons fileupload

    ≥ 1.0, < 1.6 | ≥ 2.0.0-M1, < 2.0.0-M4

  • apachecommons_fileupload

    ≥ 1.0, < 1.6 | 2.0.0:m1 | 2.0.0:m1-rc1 | 2.0.0:m2 | 2.0.0:m2-rc1 | 2.0.0:m3 | 2.0.0:m3-rc1

  • commons-fileuploadcommons-fileupload

    ≥ 1.0, < 1.6.0

  • org.apache.commonscommons-fileupload2-core

    ≥ 2.0.0-M1, < 2.0.0-M4

References (9)