CVE-2025-48989: 
Java vulnerability analysis and mitigation

CVE-2025-48989 is an Improper Resource Shutdown or Release vulnerability discovered in Apache Tomcat that makes it vulnerable to the 'made you reset' attack. The vulnerability affects multiple versions of Apache Tomcat: versions 11.0.0-M1 through 11.0.9, 10.1.0-M1 through 10.1.43, and 9.0.0.M1 through 9.0.107, with older EOL versions potentially affected as well. The vulnerability was disclosed on August 13, 2025 (NVD).

The vulnerability is classified as CWE-404 (Improper Resource Shutdown or Release) and has received a CVSS v3.1 base score of 7.5 (High). The vulnerability stems from an implementation weakness in HTTP/2 stream reset handling, where malformed client requests can trigger server-side issues. The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N). While the scope is unchanged (S:U) and there are no impacts on confidentiality (C:N) or integrity (I:N), the vulnerability can significantly impact system availability (A:H) (CISA-ADP).

The primary impact of this vulnerability is on system availability, potentially leading to Denial of Service (DoS) conditions through HTTP/2 protocol exploitation. The high availability impact score in the CVSS rating indicates that the vulnerability could cause a significant disruption to system resources (Red Hat).

Users are strongly recommended to upgrade to the fixed versions: Apache Tomcat 11.0.10, 10.1.44, or 9.0.108, which contain patches addressing this vulnerability. The fixes have been implemented through specific commits in the Apache Tomcat repository for each affected version (Ubuntu Security).