Severity: important
Affected versions:
- Apache Tomcat 11.0.0-M1 through 11.0.9
- Apache Tomcat 10.1.0-M1 through 10.1.43
- Apache Tomcat 9.0.0.M1 through 9.0.107
- Apache Tomcat 8.5.0 through 8.5.100 unknown
Description:
Improper Resource Shutdown or Release vulnerability in Apache Tomcat
made Tomcat vulnerable to the made you reset attack.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from
10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL
versions may also be affected.
Users are recommended to upgrade to one of versions 11.0.10, 10.1.44 or
9.0.108 which fix the issue.
Credit:
Gal Bar Nahum, Anat Bremler-Barr, and Yaniv Harel of Tel Aviv University
(finder)
References:
https://lists.apache.org/thread/9ydfg0xr0tchmglcprhxgwhj0hfwxlyf
https://tomcat.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-48989
