CVE-2025-48989

CVE-2025-48989: Apache Tomcat: h2 DoS - Made You Reset

Vendor Apache Software Foundation

Product Apache Tomcat

Weakness CWE-404

Published August 13, 2025

Last update May 12, 2026

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected. Users are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue.

Key dates

Disclosure timeline

August 13, 2025 CVE published

May 12, 2026 Record updated

Identifiers

CVE CVE-2025-48989

CWE CWE-404

Affected versions

Vendor Apache Software Foundation

Product Apache Tomcat

Affected ≥ 11.0.0-M1 and ≤ 11.0.9

Vendor Apache Software Foundation

Product Apache Tomcat

Affected ≥ 10.1.0-M1 and ≤ 10.1.43

Vendor Apache Software Foundation

Product Apache Tomcat

Affected ≥ 9.0.0.M1 and ≤ 9.0.107