VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-jknh-z7bv-4kcf

Essentials
Severities (56)
References (31)
Severity details (27)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-jknh-z7bv-4kcf
Aliases	CVE-2025-48988 GHSA-h3gc-qfqq-6h8f
Summary	Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-770	Allocation of Resources Without Limits or Throttling
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	5.3	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-48988.json
epss	0.00042	https://api.first.org/data/v1/epss?cve=CVE-2025-48988
epss	0.00042	https://api.first.org/data/v1/epss?cve=CVE-2025-48988
epss	0.00042	https://api.first.org/data/v1/epss?cve=CVE-2025-48988
epss	0.00042	https://api.first.org/data/v1/epss?cve=CVE-2025-48988
epss	0.00042	https://api.first.org/data/v1/epss?cve=CVE-2025-48988
epss	0.00042	https://api.first.org/data/v1/epss?cve=CVE-2025-48988
epss	0.00053	https://api.first.org/data/v1/epss?cve=CVE-2025-48988
epss	0.00053	https://api.first.org/data/v1/epss?cve=CVE-2025-48988
epss	0.00053	https://api.first.org/data/v1/epss?cve=CVE-2025-48988
epss	0.00053	https://api.first.org/data/v1/epss?cve=CVE-2025-48988
epss	0.00057	https://api.first.org/data/v1/epss?cve=CVE-2025-48988
epss	0.00057	https://api.first.org/data/v1/epss?cve=CVE-2025-48988
epss	0.00057	https://api.first.org/data/v1/epss?cve=CVE-2025-48988
epss	0.00057	https://api.first.org/data/v1/epss?cve=CVE-2025-48988
epss	0.00057	https://api.first.org/data/v1/epss?cve=CVE-2025-48988
epss	0.00057	https://api.first.org/data/v1/epss?cve=CVE-2025-48988
epss	0.00057	https://api.first.org/data/v1/epss?cve=CVE-2025-48988
epss	0.00057	https://api.first.org/data/v1/epss?cve=CVE-2025-48988
epss	0.00057	https://api.first.org/data/v1/epss?cve=CVE-2025-48988
epss	0.00057	https://api.first.org/data/v1/epss?cve=CVE-2025-48988
epss	0.00057	https://api.first.org/data/v1/epss?cve=CVE-2025-48988
epss	0.00068	https://api.first.org/data/v1/epss?cve=CVE-2025-48988
epss	0.00068	https://api.first.org/data/v1/epss?cve=CVE-2025-48988
epss	0.00072	https://api.first.org/data/v1/epss?cve=CVE-2025-48988
epss	0.00072	https://api.first.org/data/v1/epss?cve=CVE-2025-48988
epss	0.00072	https://api.first.org/data/v1/epss?cve=CVE-2025-48988
epss	0.00072	https://api.first.org/data/v1/epss?cve=CVE-2025-48988
epss	0.00072	https://api.first.org/data/v1/epss?cve=CVE-2025-48988
epss	0.00072	https://api.first.org/data/v1/epss?cve=CVE-2025-48988
apache_tomcat	Important	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48988
cvssv3.1	7.5	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-h3gc-qfqq-6h8f
cvssv3.1	7.5	https://github.com/apache/tomcat
generic_textual	HIGH	https://github.com/apache/tomcat
cvssv3.1	7.5	https://github.com/apache/tomcat/commit/2b0ab14fb55d4edc896e5f1817f2ab76f714ae5e
generic_textual	HIGH	https://github.com/apache/tomcat/commit/2b0ab14fb55d4edc896e5f1817f2ab76f714ae5e
cvssv3.1	7.5	https://github.com/apache/tomcat/commit/cdde8e655bc1c5c60a07efd216251d77c52fd7f6
generic_textual	HIGH	https://github.com/apache/tomcat/commit/cdde8e655bc1c5c60a07efd216251d77c52fd7f6
cvssv3.1	7.5	https://github.com/apache/tomcat/commit/ee8042ffce4cb9324dfd79efda5984f37bbb6910
generic_textual	HIGH	https://github.com/apache/tomcat/commit/ee8042ffce4cb9324dfd79efda5984f37bbb6910
cvssv3.1	7.5	https://lists.apache.org/thread/nzkqsok8t42qofgqfmck536mtyzygp18
generic_textual	HIGH	https://lists.apache.org/thread/nzkqsok8t42qofgqfmck536mtyzygp18
ssvc	Track	https://lists.apache.org/thread/nzkqsok8t42qofgqfmck536mtyzygp18
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2025-48988
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2025-48988
archlinux	High	https://security.archlinux.org/AVG-2888
archlinux	High	https://security.archlinux.org/AVG-2889
cvssv3.1	7.5	https://tomcat.apache.org/security-10.html
generic_textual	HIGH	https://tomcat.apache.org/security-10.html
cvssv3.1	7.5	https://tomcat.apache.org/security-11.html
generic_textual	HIGH	https://tomcat.apache.org/security-11.html
cvssv3.1	7.5	https://tomcat.apache.org/security-9.html
generic_textual	HIGH	https://tomcat.apache.org/security-9.html
cvssv3.1	7.5	http://www.openwall.com/lists/oss-security/2025/06/16/1
generic_textual	HIGH	http://www.openwall.com/lists/oss-security/2025/06/16/1

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-48988.json
		https://api.first.org/data/v1/epss?cve=CVE-2025-48988
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/apache/tomcat
		https://github.com/apache/tomcat/commit/2b0ab14fb55d4edc896e5f1817f2ab76f714ae5e
		https://github.com/apache/tomcat/commit/cdde8e655bc1c5c60a07efd216251d77c52fd7f6
		https://github.com/apache/tomcat/commit/ee8042ffce4cb9324dfd79efda5984f37bbb6910
		https://lists.apache.org/thread/nzkqsok8t42qofgqfmck536mtyzygp18
		https://nvd.nist.gov/vuln/detail/CVE-2025-48988
		https://tomcat.apache.org/security-10.html
		https://tomcat.apache.org/security-11.html
		https://tomcat.apache.org/security-9.html
		http://www.openwall.com/lists/oss-security/2025/06/16/1
1108116		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108116
2373015		https://bugzilla.redhat.com/show_bug.cgi?id=2373015
AVG-2888		https://security.archlinux.org/AVG-2888
AVG-2889		https://security.archlinux.org/AVG-2889
cpe:2.3:a:apache:tomcat::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat::::::::
CVE-2025-48988		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48988
GHSA-h3gc-qfqq-6h8f		https://github.com/advisories/GHSA-h3gc-qfqq-6h8f
RHSA-2025:11695		https://access.redhat.com/errata/RHSA-2025:11695
RHSA-2025:11696		https://access.redhat.com/errata/RHSA-2025:11696
RHSA-2025:11741		https://access.redhat.com/errata/RHSA-2025:11741
RHSA-2025:11742		https://access.redhat.com/errata/RHSA-2025:11742
RHSA-2025:14177		https://access.redhat.com/errata/RHSA-2025:14177
RHSA-2025:14178		https://access.redhat.com/errata/RHSA-2025:14178
RHSA-2025:14179		https://access.redhat.com/errata/RHSA-2025:14179
RHSA-2025:14180		https://access.redhat.com/errata/RHSA-2025:14180
RHSA-2025:14181		https://access.redhat.com/errata/RHSA-2025:14181
RHSA-2025:14182		https://access.redhat.com/errata/RHSA-2025:14182
RHSA-2025:14183		https://access.redhat.com/errata/RHSA-2025:14183

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-48988.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/apache/tomcat

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/apache/tomcat/commit/2b0ab14fb55d4edc896e5f1817f2ab76f714ae5e

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/apache/tomcat/commit/cdde8e655bc1c5c60a07efd216251d77c52fd7f6

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/apache/tomcat/commit/ee8042ffce4cb9324dfd79efda5984f37bbb6910

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://lists.apache.org/thread/nzkqsok8t42qofgqfmck536mtyzygp18

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-17T18:20:54Z/ Found at https://lists.apache.org/thread/nzkqsok8t42qofgqfmck536mtyzygp18

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2025-48988

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://tomcat.apache.org/security-10.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://tomcat.apache.org/security-11.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://tomcat.apache.org/security-9.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at http://www.openwall.com/lists/oss-security/2025/06/16/1

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.11667
EPSS Score	0.00042
Published At	Aug. 10, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-31T08:03:15.963051+00:00	Apache Tomcat Importer	Import	https://tomcat.apache.org/security-11.html	37.0.0