Search for vulnerabilities
Vulnerability details: VCID-uq2m-3tw8-eyhs
Vulnerability ID VCID-uq2m-3tw8-eyhs
Aliases CVE-2025-52520
GHSA-wr62-c79q-cv37
Summary For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size limits. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-190 Integer Overflow or Wraparound
System Score Found at
cvssv3 3.7 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-52520.json
epss 0.00018 https://api.first.org/data/v1/epss?cve=CVE-2025-52520
epss 0.0004 https://api.first.org/data/v1/epss?cve=CVE-2025-52520
epss 0.0004 https://api.first.org/data/v1/epss?cve=CVE-2025-52520
epss 0.0004 https://api.first.org/data/v1/epss?cve=CVE-2025-52520
epss 0.0004 https://api.first.org/data/v1/epss?cve=CVE-2025-52520
epss 0.00052 https://api.first.org/data/v1/epss?cve=CVE-2025-52520
apache_tomcat Important https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-52520
apache_tomcat Low https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-52520
cvssv3.1 5.9 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-wr62-c79q-cv37
cvssv3.1 7.5 https://github.com/apache/tomcat
generic_textual MODERATE https://github.com/apache/tomcat
cvssv3.1 7.5 https://github.com/apache/tomcat/commit/927d66fbc294cb65242102b817a45fd80834e040
generic_textual MODERATE https://github.com/apache/tomcat/commit/927d66fbc294cb65242102b817a45fd80834e040
cvssv3.1 7.5 https://github.com/apache/tomcat/commit/a51e4bedccfafd35b7cdd0ee3e22267dee9f90db
generic_textual MODERATE https://github.com/apache/tomcat/commit/a51e4bedccfafd35b7cdd0ee3e22267dee9f90db
cvssv3.1 7.5 https://github.com/apache/tomcat/commit/fc42bbccb9041fafd194fbfdf3eab1d44cb5c45c
generic_textual MODERATE https://github.com/apache/tomcat/commit/fc42bbccb9041fafd194fbfdf3eab1d44cb5c45c
cvssv3.1 7.5 https://lists.apache.org/thread/trqq01bbxw6c92zx69kx2mw2qgmfy0o5
generic_textual MODERATE https://lists.apache.org/thread/trqq01bbxw6c92zx69kx2mw2qgmfy0o5
ssvc Track https://lists.apache.org/thread/trqq01bbxw6c92zx69kx2mw2qgmfy0o5
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2025-52520
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2025-52520
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-52520.json
https://api.first.org/data/v1/epss?cve=CVE-2025-52520
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/apache/tomcat
https://github.com/apache/tomcat/commit/927d66fbc294cb65242102b817a45fd80834e040
https://github.com/apache/tomcat/commit/a51e4bedccfafd35b7cdd0ee3e22267dee9f90db
https://github.com/apache/tomcat/commit/fc42bbccb9041fafd194fbfdf3eab1d44cb5c45c
https://lists.apache.org/thread/trqq01bbxw6c92zx69kx2mw2qgmfy0o5
1109111 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109111
2379374 https://bugzilla.redhat.com/show_bug.cgi?id=2379374
CVE-2025-52520 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-52520
CVE-2025-52520 https://nvd.nist.gov/vuln/detail/CVE-2025-52520
GHSA-wr62-c79q-cv37 https://github.com/advisories/GHSA-wr62-c79q-cv37
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-52520.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/apache/tomcat
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/apache/tomcat/commit/927d66fbc294cb65242102b817a45fd80834e040
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/apache/tomcat/commit/a51e4bedccfafd35b7cdd0ee3e22267dee9f90db
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/apache/tomcat/commit/fc42bbccb9041fafd194fbfdf3eab1d44cb5c45c
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://lists.apache.org/thread/trqq01bbxw6c92zx69kx2mw2qgmfy0o5
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-07-11T14:08:03Z/ Found at https://lists.apache.org/thread/trqq01bbxw6c92zx69kx2mw2qgmfy0o5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2025-52520
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.03054
EPSS Score 0.00018
Published At July 11, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-05T22:25:46.587424+00:00 Apache Tomcat Importer Import https://tomcat.apache.org/security-9.html 37.0.0