Search for vulnerabilities
Vulnerability details: VCID-7498-2z96-w3aa
Vulnerability ID VCID-7498-2z96-w3aa
Aliases CVE-2025-52520
GHSA-wr62-c79q-cv37
Summary For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size limits. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.
Status Published
Exploitability 0.5
Weighted Severity 6.8
Risk 3.4
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-190 Integer Overflow or Wraparound
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 3.7 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-52520.json
epss 0.00164 https://api.first.org/data/v1/epss?cve=CVE-2025-52520
epss 0.00164 https://api.first.org/data/v1/epss?cve=CVE-2025-52520
epss 0.00164 https://api.first.org/data/v1/epss?cve=CVE-2025-52520
epss 0.00164 https://api.first.org/data/v1/epss?cve=CVE-2025-52520
epss 0.00164 https://api.first.org/data/v1/epss?cve=CVE-2025-52520
epss 0.00164 https://api.first.org/data/v1/epss?cve=CVE-2025-52520
epss 0.00164 https://api.first.org/data/v1/epss?cve=CVE-2025-52520
epss 0.00164 https://api.first.org/data/v1/epss?cve=CVE-2025-52520
epss 0.00164 https://api.first.org/data/v1/epss?cve=CVE-2025-52520
epss 0.00164 https://api.first.org/data/v1/epss?cve=CVE-2025-52520
epss 0.00164 https://api.first.org/data/v1/epss?cve=CVE-2025-52520
epss 0.00164 https://api.first.org/data/v1/epss?cve=CVE-2025-52520
epss 0.00184 https://api.first.org/data/v1/epss?cve=CVE-2025-52520
epss 0.00184 https://api.first.org/data/v1/epss?cve=CVE-2025-52520
epss 0.00184 https://api.first.org/data/v1/epss?cve=CVE-2025-52520
epss 0.00184 https://api.first.org/data/v1/epss?cve=CVE-2025-52520
epss 0.00184 https://api.first.org/data/v1/epss?cve=CVE-2025-52520
epss 0.00184 https://api.first.org/data/v1/epss?cve=CVE-2025-52520
epss 0.00184 https://api.first.org/data/v1/epss?cve=CVE-2025-52520
epss 0.00217 https://api.first.org/data/v1/epss?cve=CVE-2025-52520
epss 0.00217 https://api.first.org/data/v1/epss?cve=CVE-2025-52520
epss 0.00217 https://api.first.org/data/v1/epss?cve=CVE-2025-52520
epss 0.00217 https://api.first.org/data/v1/epss?cve=CVE-2025-52520
epss 0.00226 https://api.first.org/data/v1/epss?cve=CVE-2025-52520
epss 0.00226 https://api.first.org/data/v1/epss?cve=CVE-2025-52520
epss 0.00226 https://api.first.org/data/v1/epss?cve=CVE-2025-52520
epss 0.00226 https://api.first.org/data/v1/epss?cve=CVE-2025-52520
epss 0.00226 https://api.first.org/data/v1/epss?cve=CVE-2025-52520
epss 0.00226 https://api.first.org/data/v1/epss?cve=CVE-2025-52520
apache_tomcat Low https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-52520
cvssv3.1 5.9 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-wr62-c79q-cv37
cvssv3.1 7.5 https://github.com/apache/tomcat
generic_textual MODERATE https://github.com/apache/tomcat
cvssv3.1 7.5 https://github.com/apache/tomcat/commit/927d66fbc294cb65242102b817a45fd80834e040
generic_textual MODERATE https://github.com/apache/tomcat/commit/927d66fbc294cb65242102b817a45fd80834e040
cvssv3.1 7.5 https://github.com/apache/tomcat/commit/a51e4bedccfafd35b7cdd0ee3e22267dee9f90db
generic_textual MODERATE https://github.com/apache/tomcat/commit/a51e4bedccfafd35b7cdd0ee3e22267dee9f90db
cvssv3.1 7.5 https://github.com/apache/tomcat/commit/fc42bbccb9041fafd194fbfdf3eab1d44cb5c45c
generic_textual MODERATE https://github.com/apache/tomcat/commit/fc42bbccb9041fafd194fbfdf3eab1d44cb5c45c
cvssv3.1 7.5 https://lists.apache.org/thread/trqq01bbxw6c92zx69kx2mw2qgmfy0o5
generic_textual MODERATE https://lists.apache.org/thread/trqq01bbxw6c92zx69kx2mw2qgmfy0o5
ssvc Track https://lists.apache.org/thread/trqq01bbxw6c92zx69kx2mw2qgmfy0o5
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2025-52520
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2025-52520
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-52520.json
https://api.first.org/data/v1/epss?cve=CVE-2025-52520
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/apache/tomcat
https://github.com/apache/tomcat/commit/927d66fbc294cb65242102b817a45fd80834e040
https://github.com/apache/tomcat/commit/a51e4bedccfafd35b7cdd0ee3e22267dee9f90db
https://github.com/apache/tomcat/commit/fc42bbccb9041fafd194fbfdf3eab1d44cb5c45c
https://lists.apache.org/thread/trqq01bbxw6c92zx69kx2mw2qgmfy0o5
https://nvd.nist.gov/vuln/detail/CVE-2025-52520
1109111 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109111
2379374 https://bugzilla.redhat.com/show_bug.cgi?id=2379374
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
CVE-2025-52520 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-52520
GHSA-wr62-c79q-cv37 https://github.com/advisories/GHSA-wr62-c79q-cv37
RHSA-2025:11695 https://access.redhat.com/errata/RHSA-2025:11695
RHSA-2025:11696 https://access.redhat.com/errata/RHSA-2025:11696
RHSA-2025:13685 https://access.redhat.com/errata/RHSA-2025:13685
RHSA-2025:13686 https://access.redhat.com/errata/RHSA-2025:13686
RHSA-2025:14177 https://access.redhat.com/errata/RHSA-2025:14177
RHSA-2025:14178 https://access.redhat.com/errata/RHSA-2025:14178
RHSA-2025:14179 https://access.redhat.com/errata/RHSA-2025:14179
RHSA-2025:14180 https://access.redhat.com/errata/RHSA-2025:14180
RHSA-2025:14181 https://access.redhat.com/errata/RHSA-2025:14181
RHSA-2025:14182 https://access.redhat.com/errata/RHSA-2025:14182
RHSA-2025:14183 https://access.redhat.com/errata/RHSA-2025:14183
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-52520.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/apache/tomcat
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/apache/tomcat/commit/927d66fbc294cb65242102b817a45fd80834e040
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/apache/tomcat/commit/a51e4bedccfafd35b7cdd0ee3e22267dee9f90db
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/apache/tomcat/commit/fc42bbccb9041fafd194fbfdf3eab1d44cb5c45c
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://lists.apache.org/thread/trqq01bbxw6c92zx69kx2mw2qgmfy0o5
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-07-11T14:08:03Z/ Found at https://lists.apache.org/thread/trqq01bbxw6c92zx69kx2mw2qgmfy0o5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2025-52520
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.38136
EPSS Score 0.00164
Published At July 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:03:15.839045+00:00 Apache Tomcat Importer Import https://tomcat.apache.org/security-11.html 37.0.0