Summary
CVE-2025-48989 is a serious Apache Tomcat HTTP/2 flaw. Improper resource shutdown in the tomcat-coyote component lets attackers trigger a “MadeYouReset” DoS. It affects versions 11.0.0-M1 to 11.0.9, 10.1.0-M1 to 10.1.43, and 9.0.0.M1 to 9.0.107. Updating to 11.0.10, 10.1.44, or 9.0.108 resolves it.
Urgent Actions Required
- Update Apache Tomcat to 11.0.10, 10.1.44, or 9.0.108 to fix the vulnerability.
- If patching is delayed, monitor memory and traffic for unusual activity.
- Adjust Tomcat resource settings to lower DoS risk.
Which Systems Are Vulnerable to CVE-2025-48989?
Technical Overview
- Vulnerability Type: Improper Resource Shutdown or Release (CWE-404)
- Affected Software/Versions:
- Apache Tomcat 11.0.0-M1 - 11.0.9
- Apache Tomcat 10.1.0-M1 - 10.1.43
- Apache Tomcat 9.0.0.M1 - 9.0.107
- Attack Vector: Network (HTTP/2)
- CVSS Score: 7.5
- CVSS Vector: v3.1
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
- Patch Availability: Yes, available
How Does the CVE-2025-48989 Exploit Work?
The attack typically follows these steps:
What Causes CVE-2025-48989?
Vulnerability Root Cause:
The vulnerability occurs in Tomcat’s HTTP/2 handling: certain reset frames do not release internal resources properly, leaving memory and connections tied up. Repeated or multiple crafted requests can overload these resources, leading to a denial-of-service.
How Can You Mitigate CVE-2025-48989?
If immediate patching is delayed or not possible:
- Disable HTTP/2 where possible, since the flaw affects HTTP/2 streams.
- Apply rate limits to control connection floods.
- Monitor resources for memory spikes or high stream counts.
- Tighten timeouts and stream limits in Tomcat and proxies.
- Restrict HTTP/2 access to trusted systems only.
- Upgrade soon to Tomcat 11.0.10, 10.1.44, or 9.0.108.
Which Assets and Systems Are at Risk?
Asset Types Affected:
- Web Servers: Apache Tomcat instances running vulnerable versions.
- Application Servers: Systems using HTTP/2 for client connections.
- Proxy or Gateway Integrations: Deployments relying on Tomcat for backend communication over HTTP/2.
Business-Critical Systems at Risk:
- Public-Facing Web Applications: Susceptible to resource exhaustion and service disruption.
- APIs or Microservices: Impacted if exposed through Tomcat’s HTTP/2 endpoints.
- Enterprise Platforms: Availability issues if Tomcat is part of core business services.
Exposure Level:
- Internet-Facing Servers: High exposure due to direct HTTP/2 access.
- Internal Services: Moderate exposure if internal clients use HTTP/2 connections.
Will Patching CVE-2025-48989 Cause Downtime?
Patch application impact: Low. Patching usually needs a simple service restart, causing little downtime.
How Can You Detect CVE-2025-48989 Exploitation?
Exploitation Signatures:
- Unusually high rate of HTTP/2 control frames, especially stream-reset (RST/RESET) frames.
- Rapid growth in active HTTP/2 streams per connection.
- Repeated malformed or unexpected HTTP/2 reset/control frames from the same source.
- Large, unexplained increases in memory usage on Tomcat processes.
- Server-side errors such as OutOfMemoryError or repeated connection/stream exceptions in Tomcat logs.
- Sharp rise in connection counts or many half-open/incomplete stream states.
Behavioral Indicators:
- Legitimate requests fail or time out while resource use climbs.
- Tomcat becomes slow or unresponsive despite normal incoming request volume.
- Persistent incomplete streams or connections that do not close cleanly.
Alerting Strategy:
- Priority: High
- Trigger on memory growth above baseline thresholds for Tomcat processes.
- Alert on spikes in HTTP/2 reset/control-frame rate (per-IP and overall).
- Alert when concurrent HTTP/2 stream counts exceed expected limits.
- Trigger on Tomcat OOM or repeated stream/connection errors in logs.
- Raise an incident when service responsiveness drops or HTTP/2 endpoints stop responding.
Where Can I Find More Information on CVE-2025-48989?
- ^NVD – CVE-2025-48989
- ^CVE-2025-48989 | Tenable®
- ^CVE-2025-48989 : Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat
- ^CVE-2025-48989 Impact, Exploitability, and Mitigation Steps | Wiz
- ^CVE-2025-48989 – Apache Tomcat: h2 DoS – Made You Reset
- ^Apache Tomcat Vulnerabilities Let Attackers Trigger Dos Attack
CVSS Breakdown Table
| Metric | Value | Description |
|---|---|---|
| Base Score | 7.5 | High-severity vulnerability with significant availability impact. |
| Attack Vector | Network | Exploitable remotely over HTTP/2 connections. |
| Attack Complexity | Low | Attack requires no special conditions or advanced setup. |
| Privileges Required | None | Exploitation does not need authentication or elevated privileges. |
| User Interaction | None | No user action is required for exploitation. |
| Scope | UnChanged | Impact is limited to the affected Apache Tomcat component. |
| Confidentiality Impact | None | No data disclosure is expected from this issue. |
| Integrity Impact | None | No unauthorized data modification occurs. |
| Availability Impact | None | Exploitation can exhaust system resources, causing denial of service. |
