DoS via Improper Resource Release in Apache Tomcat <9.0.108, 10.1.44, 11.0.10
CVE-2025-48989 Published on August 13, 2025
Apache Tomcat: h2 DoS - Made You Reset
Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected.
Users are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue.
Vulnerability Analysis
CVE-2025-48989 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Weakness Type
Improper Resource Shutdown or Release
The program does not release or incorrectly releases a resource before it is made available for re-use. When a resource is created or allocated, the developer is responsible for properly releasing the resource as well as accounting for all potential paths of expiration or invalidation, such as a set period of time or revocation.
Products Associated with CVE-2025-48989
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2025-48989 are published in these products:
Affected Versions
Apache Software Foundation Apache Tomcat:- Version 11.0.0-M1, <= 11.0.9 is affected.
- Version 10.1.0-M1, <= 10.1.43 is affected.
- Version 9.0.0.M1, <= 9.0.107 is affected.
- Version 8.5.0, <= 8.5.100 is unknown.
- Version 10.0.0-M1, <= 10.0.27 is unknown.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.