CVE-2023-24998

CVE-2023-24998: Apache Commons FileUpload, Apache Tomcat: FileUpload DoS with excessive parts

Vendor Apache Software Foundation

Product Apache Commons FileUpload

Weakness CWE-770 · Uncontrolled resource consumption

Published February 20, 2023

Last update November 3, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.

Key dates

Disclosure timeline

February 20, 2023 CVE published

November 3, 2025 Record updated

Identifiers

CVE CVE-2023-24998

CWE CWE-770

Affected versions

Vendor Apache Software Foundation

Product Apache Commons FileUpload

Affected < 1.5

Vendor Apache Software Foundation

Product Apache Tomcat

Affected 11.0.0-M1

Vendor Apache Software Foundation

Product Apache Tomcat

Affected ≥ 10.0.0-M1 and ≤ 10.1.4

Vendor Apache Software Foundation

Product Apache Tomcat

Affected ≥ 9.0.0-M1 and ≤ 9.0.70

Vendor Apache Software Foundation

Product Apache Tomcat

Affected ≥ 8.5.0 and ≤ 8.5.84