CVE-2025-48989: 
Java vulnerability analysis and mitigation

CVE-2025-48989 is an Improper Resource Shutdown or Release vulnerability discovered in Apache Tomcat that makes it vulnerable to the 'Made You Reset' attack. The vulnerability affects multiple versions of Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43, and from 9.0.0.M1 through 9.0.107. The vulnerability was disclosed on August 13, 2025 (Apache List).

The vulnerability stems from a mismatch between HTTP/2 specifications and internal server architectures where malformed client requests can trigger server-side stream resets without properly managing resources. The vulnerability has received a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (CERT VU).

When exploited, this vulnerability can lead to resource exhaustion and denial-of-service (DoS) conditions. The attack allows a threat actor to cause the server to handle an unbounded number of concurrent HTTP/2 requests on a single connection, potentially leading to server overload (CERT VU).

Users are recommended to upgrade to one of the following fixed versions: Apache Tomcat 11.0.10, 10.1.44, or 9.0.108. These versions contain the necessary patches to address the vulnerability (Apache List).