CVE-2025-36099: 
IBM WebSphere Application Server vulnerability analysis and mitigation

IBM WebSphere Application Server versions 8.5 and 9.0 were identified with a denial of service vulnerability (CVE-2025-36099) disclosed on September 29, 2025. The vulnerability affects multiple editions including Advanced, Base, Developer, Enterprise, Express, Network Deployment, and Single Server across various platforms such as AIX, HP-UX, IBM i, Linux, Solaris, Windows, and z/OS (IBM Advisory).

The vulnerability is caused by improper resource allocation, specifically related to memory management when processing specially-crafted requests. It has been assigned CWE-770 (Allocation of Resources Without Limits or Throttling). The vulnerability received a CVSS v3.1 base score of 4.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H, indicating network accessibility, low attack complexity, but requiring high privileges with no user interaction (IBM Advisory).

When successfully exploited, this vulnerability allows a privileged user to cause the server to consume memory resources, potentially leading to a denial of service condition. The impact is primarily focused on system availability, with no direct effect on confidentiality or integrity (IBM Advisory).

IBM recommends addressing the vulnerability by applying available interim fixes or fix packs containing the fix for APAR PH67817. For version 9.0.0.0 through 9.0.5.25, users should either upgrade to Fix Pack 9.0.5.26 or later (targeted for 4Q2025) or apply the interim fix for PH67817. For version 8.5.0.0 through 8.5.5.28, users should upgrade to Fix Pack 8.5.5.29 or later (targeted for 1Q2026) or apply the interim fix for PH67817. No workarounds have been identified (IBM Advisory).