CVE-2025-36099: 
IBM WebSphere Application Server vulnerability analysis and mitigation

IBM WebSphere Application Server versions 8.5 and 9.0 are affected by a denial of service vulnerability identified as CVE-2025-36099. The vulnerability was discovered and disclosed on September 29, 2025. The affected systems include IBM WebSphere Application Server traditional versions 9.0.0.0 through 9.0.5.25 and 8.5.0.0 through 8.5.5.28 (IBM Security Bulletin).

The vulnerability is caused by improper handling of specially-crafted requests that can lead to uncontrolled resource allocation. It has been assigned CWE-770 (Allocation of Resources Without Limits or Throttling). The vulnerability has received a CVSS v3.1 Base Score of 4.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H, indicating network accessibility with high privileges required (IBM Security Bulletin).

When exploited, this vulnerability allows a privileged user to cause the server to consume memory resources, potentially leading to a denial of service condition. The impact is primarily focused on the availability of the system, with no direct effect on confidentiality or integrity (IBM Security Bulletin).

IBM recommends addressing the vulnerability by either applying an interim fix containing the fix for APAR PH67817, or upgrading to Fix Pack 9.0.5.26 or later (targeted for 4Q2025) for version 9.0, or Fix Pack 8.5.5.29 or later (targeted for 1Q2026) for version 8.5. No workarounds are available for this vulnerability (IBM Security Bulletin).