Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2025-48988 PoC — Apache Tomcat: FileUpload large number of parts with headers DoS

Source
https://github.com/Samb102/POC-CVE-2025-48988-CVE-2025-48976
Associated Vulnerability
Title:Apache Tomcat: FileUpload large number of parts with headers DoS (CVE-2025-48988)
Description:Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
Readme
# CVE-2025-48988 & CVE-2025-48976
## About
This project runs a simple file upload endpoint with Tomcat 10.1.41 and a Jakarta Servlet.

The exploit runs, by default, 1000 parallelized multipart requests with 1000 parts and 50 headers by part, from 50 workers.

## Run POC
Build and run the Docker container:

```docker build -t poc-cve-2025-48988 .```

```docker run -p 8080:8080 poc-cve-2025-48988```

Launch the exploit:

```python3 exploit-cve-2025-48988.py```

Monitor container resource usage:

```docker stats```

You will observe a significant increase in CPU usage:
![Stats](screenshots/docker_stats_tomcat_10.1.41.png)

## Remediation
Change docker image in dockerfile from `tomcat:10.1.41-jdk17` to `tomcat:10.1.42-jdk17`

With its default configuration, Tomcat will now respond with a 500 status code and CPU usage will remain stable, as per [fix](https://github.com/apache/tomcat/commit/667ddd76e2a0e762f3a784d86f0d25e7fd7cdb86#diff-1c3529b11adf91d5683a4d5394264b2f71383677ff4fb07f30f3e70c11b8e585R488-R877) introduced in Tomcat 10.1.42.
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →