CVE-2025-48988 – Allocation of Resources Without Limits or Throttling

Severity: High2025-12-19

Security Advisories

Abstract

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

The Oxygen products incorporate Apache Tomcat as a third‑party component. This advisory was opened to address the potential impact of this third‑party component vulnerability across affected Oxygen products and services.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen Content Fusion v8.1 and olderHighOxygen Content Fusion 8.2 build 2025082116
Oxygen XML Web Author v27.1.0 and olderHighOxygen XML Web Author 27.1.0 build 2025082715
Oxygen Feedback v5.2 and olderNoneOxygen Feedback 5.2 build 2025071110

Mitigation

None

Detail

CVE-2025-48988

Severity: High

CVSS Score: 7.5

Apache Tomcat used the same limit for both request parameters and multipart parts. Because multipart parts include headers that must be retained, a request with a large number of parts can cause excessive memory usage, leading to a denial of service. Affected Tomcat ranges: 11.0.0‑M1 to 11.0.7, 10.1.0‑M1 to 10.1.41, and 9.0.0.M1 to 9.0.105. The issue is fixed in Tomcat 11.0.8, 10.1.42, and 9.0.106.

The vulnerability impacts products that embed or bundle affected Tomcat versions and that process multipart requests. We confirmed impact and delivered fixes for Oxygen Content Fusion and Oxygen XML Web Author. Where noted, some internal services were not exposed or did not use multipart uploads. Remediation across products was performed by upgrading Tomcat to fixed versions.

Starting with Oxygen Content Fusion version 8.2 build 2025082116 was addressed by updating Tomcat to a non-vulnerable version.

The Oxygen Feedback does not expose multipart endpoints and is not affected; Tomcat was updated to 9.0.106 starting with Oxygen Feedback version 5.2 build 2025071110.

Starting with Oxygen XML Web Author version 27.1.0 build 2025082715 this vulnerability was addressed by upgrading to Tomcat 9.0.106

List of Security Advisories

Video Tutorials
Upcoming Events
webinar
Vibe Authoring with Oxygen AI Positron 8.0
January 21, 2026

Products

Features

Shop

Resources

Support

Company

© 2002-2025 SyncRO Soft SRL. All rights reserved.

This website was created & generated with <oXygen/>®XML Editor