CVE-2025-36047: 
IBM WebSphere Application Server vulnerability analysis and mitigation

IBM WebSphere Application Server Liberty versions 18.0.0.2 through 25.0.0.8 is affected by a denial of service vulnerability (CVE-2025-36047). The vulnerability was discovered and disclosed on August 14, 2025, and affects systems with servlet-3.1, servlet-4.0, servlet-5.0, or servlet-6.0 features when HTTP/2 protocol is enabled (IBM Security).

The vulnerability is caused by improper handling of specially-crafted requests that can lead to excessive server resource consumption. It has been assigned a CVSS Base Score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L. The vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) (IBM Security).

When exploited, this vulnerability allows a remote attacker to cause the server to consume memory resources, potentially leading to a denial of service condition. The impact is primarily focused on the availability of the system, with no direct effect on confidentiality or integrity (IBM Security).

IBM recommends addressing the vulnerability by either applying an interim fix containing the fix for APAR PH66953 or upgrading to Liberty Fix Pack 25.0.0.9 or later (targeted availability 3Q2025). Users should first verify if their installation has the servlet features (3.1, 4.0, 5.0, or 6.0) enabled and if HTTP/2 protocol is in use. No workarounds are available for this vulnerability (IBM Security).