CVE-2025-48989 is a Denial-of-Service (DoS) vulnerability in Apache Tomcat, specifically affecting its HTTP/2 implementation. It is classified as an “Improper Resource Shutdown or Release” issue, which leaves Tomcat susceptible to the so-called “made you reset” attack.
Vulnerability Details
- Issue: Malicious or malformed HTTP/2 client requests can force Tomcat to reset server-side streams without properly updating abuse counters or releasing resources, potentially allowing repeated exploitation and resulting in a denial of service.
- Impact: Remote attackers can exploit this flaw to exhaust server resources, causing a Denial-of-Service condition.
Affected Versions
- Apache Tomcat 11: Versions from 11.0.0-M1 up to (but not including) 11.0.10
- Apache Tomcat 10: Versions from 10.1.0-M1 up to (but not including) 10.1.44
- Apache Tomcat 9: Versions from 9.0.0.M1 up to (but not including) 9.0.108
- Older/EOL Versions: May also be affected, but official support and patch information are not provided for End-of-Life releases.
Fixed Versions / Remediation
- Upgrade to Tomcat 11.0.10, Tomcat 10.1.44, or Tomcat 9.0.108 (or newer) to remediate this vulnerability.
- No binary patches are provided; a full upgrade is required.
Summary for Security Professionals:
- This is a high-severity DoS vulnerability affecting HTTP/2 on Tomcat.
- Prioritize patching if your organization uses affected Tomcat versions to mitigate service disruption risks from remote attacks.
- While writing these details there is no evidence of exploitation of this vulnerability.
