{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-48989", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2025-05-29T15:25:37.243Z", "datePublished": "2025-08-13T12:11:26.124Z", "dateUpdated": "2025-08-13T19:56:35.999Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Tomcat", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "11.0.9", "status": "affected", "version": "11.0.0-M1", "versionType": "semver"}, {"lessThanOrEqual": "10.1.43", "status": "affected", "version": "10.1.0-M1", "versionType": "semver"}, {"lessThanOrEqual": "9.0.107", "status": "affected", "version": "9.0.0.M1", "versionType": "semver"}, {"lessThanOrEqual": "8.5.100", "status": "unknown", "version": "8.5.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Gal Bar Nahum, Anat Bremler-Barr, and Yaniv Harel of Tel Aviv University"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack.</p><p>This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected.</p><p>Users are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue.</p>"}], "value": "Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected.\n\nUsers are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue."}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-404", "description": "CWE-404 Improper Resource Shutdown or Release", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2025-08-13T12:11:26.124Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/9ydfg0xr0tchmglcprhxgwhj0hfwxlyf"}], "source": {"discovery": "EXTERNAL"}, "title": "Apache Tomcat: h2 DoS - Made You Reset", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-08-13T18:37:15.707400Z", "id": "CVE-2025-48989", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-13T19:56:35.999Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-48989", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-13T18:37:15.707400Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-13T18:37:19.170Z"}}], "cna": {"title": "Apache Tomcat: h2 DoS - Made You Reset", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Gal Bar Nahum, Anat Bremler-Barr, and Yaniv Harel of Tel Aviv University"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "important"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Tomcat", "versions": [{"status": "affected", "version": "11.0.0-M1", "versionType": "semver", "lessThanOrEqual": "11.0.9"}, {"status": "affected", "version": "10.1.0-M1", "versionType": "semver", "lessThanOrEqual": "10.1.43"}, {"status": "affected", "version": "9.0.0.M1", "versionType": "semver", "lessThanOrEqual": "9.0.107"}, {"status": "unknown", "version": "8.5.0", "versionType": "semver", "lessThanOrEqual": "8.5.100"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/9ydfg0xr0tchmglcprhxgwhj0hfwxlyf", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected.\n\nUsers are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue.", "supportingMedia": [{"type": "text/html", "value": "<p>Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack.</p><p>This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected.</p><p>Users are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-404", "description": "CWE-404 Improper Resource Shutdown or Release"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2025-08-13T12:11:26.124Z"}}}, "cveMetadata": {"cveId": "CVE-2025-48989", "state": "PUBLISHED", "dateUpdated": "2025-08-13T19:56:35.999Z", "dateReserved": "2025-05-29T15:25:37.243Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2025-08-13T12:11:26.124Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected.\n\nUsers are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue."}, {"lang": "es", "value": "Una vulnerabilidad de apagado o liberaci\u00f3n incorrecta de recursos en Apache Tomcat lo hizo vulnerable al ataque \"Maked You Reset\". Este problema afecta a Apache Tomcat desde la versi\u00f3n 11.0.0-M1 hasta la 11.0.9, desde la 10.1.0-M1 hasta la 10.1.43 y desde la 9.0.0.M1 hasta la 9.0.107. Las versiones anteriores al final de su vida \u00fatil tambi\u00e9n pueden verse afectadas. Se recomienda actualizar a una de las versiones 11.0.10, 10.1.44 o 9.0.108, que solucionan el problema."}], "id": "CVE-2025-48989", "lastModified": "2025-08-13T20:15:30.423", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-08-13T13:15:34.153", "references": [{"source": "security@apache.org", "url": "https://lists.apache.org/thread/9ydfg0xr0tchmglcprhxgwhj0hfwxlyf"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-404"}], "source": "security@apache.org", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:13686", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6.1", "package": "tomcat", "product_name": "Red Hat JBoss Web Server 6.1.2", "release_date": "2025-08-13T00:00:00Z"}, {"advisory": "RHSA-2025:13685", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6.1::el10", "package": "jws6-tomcat-0:10.1.36-8.redhat_00009.1.el10jws", "product_name": "Red Hat JBoss Web Server 6.1 on RHEL 10", "release_date": "2025-08-13T00:00:00Z"}, {"advisory": "RHSA-2025:13685", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6.1::el8", "package": "jws6-tomcat-0:10.1.36-8.redhat_00009.1.el8jws", "product_name": "Red Hat JBoss Web Server 6.1 on RHEL 8", "release_date": "2025-08-13T00:00:00Z"}, {"advisory": "RHSA-2025:13685", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:6.1::el9", "package": "jws6-tomcat-0:10.1.36-8.redhat_00009.1.el9jws", "product_name": "Red Hat JBoss Web Server 6.1 on RHEL 9", "release_date": "2025-08-13T00:00:00Z"}], "bugzilla": {"description": "tomcat: http/2 \"MadeYouReset\" DoS attack through HTTP/2 control frames", "id": "2373309", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2373309"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-400", "details": ["A flaw was found in Apache Tomcat where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the \"MadeYouReset\" attack, allows malicious clients to induce excessive server workload by repeatedly causing server-side stream aborts. While not a protocol bug, this highlights a common implementation weakness that can be exploited to cause a denial of service (DoS)."], "mitigation": {"lang": "en:us", "value": "No mitigation is currently available that meets Red Hat Product Security\u2019s standards for usability, deployment, applicability, or stability."}, "name": "CVE-2025-48989", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "tomcat9", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Affected", "package_name": "tomcat6", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "pki-deps:10.6/pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "pki-servlet-engine", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5", "fix_state": "Will not fix", "package_name": "tomcat", "product_name": "Red Hat JBoss Web Server 5"}], "public_date": "2025-08-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-48989\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-48989\nhttps://kb.cert.org/vuls/id/767506"], "statement": "This vulnerability is rated with an Important severity. It is simple to exploit because it does not require authentication and could result in a Denial of Service (DoS). While some DoS flaws are classified as Moderate, \u201cMadeYouReset\u201d is Important because of the limited barriers (no specialized tooling or advanced scripting) to exploitation which directly impacts service availability. The vulnerability arises from an implementation weakness in HTTP/2 stream reset handling \u2014 malformed client requests can trigger server-side resets without incrementing abuse counters, allowing an attacker to bypass built-in request throttling and overhead limits. Since these resets consume CPU and memory resources and can be generated at scale over a single TCP/TLS connection, a remote attacker could exhaust server capacity quickly, impacting all legitimate clients.", "threat_severity": "Important"}