(commons-fileupload) branch master updated: Add information for CVE-2025-48976

markt Mon, 16 Jun 2025 05:29:57 -0700

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-fileupload.git



The following commit(s) were added to refs/heads/master by this push:
     new c034c13e Add information for CVE-2025-48976
c034c13e is described below

commit c034c13eb8689ad6659a0ceb1b6f90ef0e48b3f6
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Jun 16 13:29:43 2025 +0100

    Add information for CVE-2025-48976
---
 RELEASE-NOTES.txt                  |  2 +-
 src/changes/changes.xml            |  2 +-
 src/site/xdoc/security-reports.xml | 36 ++++++++++++++++++++++++++++++++++++
 3 files changed, 38 insertions(+), 2 deletions(-)

diff --git a/RELEASE-NOTES.txt b/RELEASE-NOTES.txt
index 8a15c823..308499ed 100644
--- a/RELEASE-NOTES.txt
+++ b/RELEASE-NOTES.txt
@@ -13,7 +13,7 @@ This release requires Java 11.
 Changes in version 2.0.0-M4 include:
 
 New features:
-o                  Add partHeaderSizeMax, a new limit that sets a maximum 
number of bytes for each individual multipart header. The default is 512 bytes. 
Thanks to Mark Thomas.
+o                  SECURITY - CVE-2025-48976. Add partHeaderSizeMax, a new 
limit that sets a maximum number of bytes for each individual multipart header. 
The default is 512 bytes. Thanks to Mark Thomas.
 
 Fixed Bugs:
 o                  Simplify exception handling in FileItem API #309. Thanks to 
Basil Crow.
diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index a71a5c6c..f1b0f3d1 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -50,7 +50,7 @@ The <action> type attribute can be add,update,fix,remove.
       <!-- FIX -->
       <action                        type="fix" dev="ppkarwasz" due-to="Basil 
Crow">Simplify exception handling in FileItem API #309.</action>
       <!-- ADD -->
-      <action                        type="add" dev="jochen"    due-to="Mark 
Thomas">Add partHeaderSizeMax, a new limit that sets a maximum number of bytes 
for each individual multipart header. The default is 512 bytes.</action>
+      <action                        type="add" dev="jochen"    due-to="Mark 
Thomas">SECURITY - CVE-2025-48976. Add partHeaderSizeMax, a new limit that sets 
a maximum number of bytes for each individual multipart header. The default is 
512 bytes.</action>
       <!-- UPDATE -->
     </release>
     <release version="2.0.0-M3" date="2025-05-07" description="This release 
requires Java 11.">
diff --git a/src/site/xdoc/security-reports.xml 
b/src/site/xdoc/security-reports.xml
index d3104468..b634b447 100644
--- a/src/site/xdoc/security-reports.xml
+++ b/src/site/xdoc/security-reports.xml
@@ -52,12 +52,48 @@
         href="https://commons.apache.org/security.html";>security page
         of the Apache Commons project</a>.</p>
 
+        <subsection name="Fixed in Apache Commons FileUpload 2.0.0-M4">
+          <p><b>Important: Denial of Service</b> <a
+          
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48976";>CVE-2025-48976</a></p>
+
+          <p>Apache Commons FileUpload 2.x before 2.0.0-M4 provides a 
hard-coded
+          limit of 10kB for the size of the headers associated with a multipart
+          request. A specially crafted request that used a large number of 
parts
+          with large headers could trigger excessive memory usage on the server
+          leading to a DoS. This limit is now configurable
+          (FileUploadBase#setPartHeaderSizeMax) with a default of 512 
bytes.</p>
+
+          <p>This was fixed in commit
+          <a 
href="https://github.com/apache/commons-fileupload/commit/e5b5543b3a40ac9dde3c33ef1858901b3ca6656a";
+          >e5b5543b</a>.</p>
+
+          <p>Affects: 2.0.0-M1 - 2.0.0-M4</p>
+        </subsection>
+
         <subsection name="Fixed in Apache Commons FileUpload 2.0.0-M1">
           <p>
             Starting in version 2.0.0-M1, no FileUpload classes implement 
Serializable.
           </p>
         </subsection>
 
+        <subsection name="Fixed in Apache Commons FileUpload 1.6">
+          <p><b>Important: Denial of Service</b> <a
+          
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48976";>CVE-2025-48976</a></p>
+
+          <p>Apache Commons FileUpload 2.x before 2.0.0-M4 provides a 
hard-coded
+          limit of 10kB for the size of the headers associated with a multipart
+          request. A specially crafted request that used a large number of 
parts
+          with large headers could trigger excessive memory usage on the server
+          leading to a DoS. This limit is now configurable
+          (FileUploadBase#setPartHeaderSizeMax) with a default of 512 
bytes.</p>
+
+          <p>This was fixed in commit
+          <a 
href="https://github.com/apache/commons-fileupload/commit/2108495a4775910b8559f18ed5a779d60542ee96";
+          >2108495a</a>.</p>
+
+          <p>Affects: 1.0 - 1.5</p>
+        </subsection>
+
         <subsection name="Fixed in Apache Commons FileUpload 1.5">
           <p><b>Important: Denial of Service</b> <a
           
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24998";>CVE-2023-24998</a></p>

(commons-fileupload) branch master updated: Add information for CVE-2025-48976

Reply via email to