What is CVE-2025-48988?

CVE-2025-48988 is a vulnerability in Apache Software Foundation Tomcat, classified under Allocation of Resources Without Limits or Throttling. Published 2025-06-16.

Is CVE-2025-48988 known to be exploited?

8 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Resource exhaustion in Apache Software Foundation Tomcat

CVE-2025-48988

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions we…

EPSS: 0.532 (98.8th percentile) — read the EPSS interpretation.

Affected products

Apache Software Foundation Tomcat — versions 11.0.0-M1, 10.1.0-M1, 9.0.0.M1

Weakness classification (CWE)

CWE-770 — Allocation of Resources Without Limits or Throttling

Public proof-of-concept exploits

References

lists.apache.org/thread/nzkqsok8t42qofgqfmck536mtyzygp18 (vendor-advisory)

Frequently asked questions

What is CVE-2025-48988?: CVE-2025-48988 is a vulnerability in Apache Software Foundation Tomcat, classified under Allocation of Resources Without Limits or Throttling. Published 2025-06-16.
Is CVE-2025-48988 known to be exploited?: 8 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.