CVE-2025-36047: 
IBM WebSphere Application Server vulnerability analysis and mitigation

IBM WebSphere Application Server Liberty versions 18.0.0.2 through 25.0.0.8 is vulnerable to a denial of service vulnerability identified as CVE-2025-36047. The vulnerability was discovered and disclosed on August 14, 2025, affecting multiple operating systems including AIX, IBM i, Linux, macOS, Windows, and z/OS (NVD, IBM Advisory).

The vulnerability is caused by improper handling of specially-crafted requests when using the servlet-3.1, servlet-4.0, servlet-5.0, or servlet-6.0 feature with the HTTP/2 protocol enabled. It has been assigned CWE-770 (Allocation of Resources Without Limits or Throttling). The vulnerability has received a CVSS v3.1 base score of 7.5 (High) from NVD with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, while IBM assessed it with a score of 5.3 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (NVD, IBM Advisory).

When exploited, this vulnerability allows a remote attacker to cause the server to consume memory resources, potentially leading to a denial of service condition. The attack requires no user interaction or special privileges, and can be executed remotely (IBM Advisory).

IBM recommends addressing the vulnerability by either applying an interim fix for APAR PH66953 or upgrading to Liberty Fix Pack 25.0.0.9 or later (targeted availability 3Q2025). Users must verify if the HTTP/2 protocol is enabled with Liberty Servlet features. No workarounds are available for this vulnerability (IBM Advisory).