2379374 – (CVE-2025-52520) CVE-2025-52520 tomcat: Apache Tomcat denial of service

Bug 2379374 (CVE-2025-52520) - CVE-2025-52520 tomcat: Apache Tomcat denial of service

Summary: CVE-2025-52520 tomcat: Apache Tomcat denial of service

Keywords:
Status:	NEW
Alias:	CVE-2025-52520
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2379479 2379480
Blocks:
TreeView+	depends on / blocked

Reported:	2025-07-10 20:01 UTC by OSIDB Bzimport
Modified:	2025-07-17 02:03 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-07-10 20:01:51 UTC

For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size limits.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106.

Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.

Note You need to log in before you can comment on or make changes to this bug.