Vulnerability DatabaseCVE-2025-61795

CVE-2025-61795:
Java vulnerability analysis and mitigation

Overview

CVE-2025-61795 is an Improper Resource Shutdown or Release vulnerability affecting Apache Tomcat. The vulnerability was discovered and disclosed on October 27, 2025. It affects multiple versions of Apache Tomcat including versions 11.0.0-M1 through 11.0.11, 10.1.0-M1 through 10.1.46, 9.0.0.M1 through 9.0.109, and EOL versions 8.5.0 through 8.5.100 (NVD, Security Online).

Technical details

The vulnerability occurs during the processing of multipart uploads where temporary copies of uploaded parts written to disc were not cleaned up immediately but left for the garbage collection process to delete. The severity is rated as MEDIUM with a CVSS 3.1 Base Score of 5.3 (Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H). The vulnerability is classified under CWE-404 (Improper Resource Shutdown or Release) (NVD).

Impact

Depending on JVM settings, application memory usage and application load, it was possible that space for the temporary copies of uploaded parts would be filled faster than the garbage collection could clear it, potentially leading to a Denial of Service (DoS) condition (Security Online).

Mitigation and workarounds

Users are recommended to upgrade to version 11.0.12 or later, 10.1.47 or later, or 9.0.110 or later which fixes the issue. These patched versions address the improper resource cleanup vulnerability (NVD).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a Wiz customer? See which CVEs are exploitable in your environment.

Get a CVE Assessment

5.3

Score

Published October 27, 2025

Severity MEDIUM

CNA Score 5.3

Affected Technologies

Java
Apache Tomcat

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 11.6

Exploitation Probability (EPSS) N/A

Affected packages and libraries

tomcat-docs-webapp
tomcat-javadoc

Sources

NVD
Debian Security Tracker
- Debian 11 Severity MEDIUMNo FixAdded at: Oct 28, 2025
- Debian 12, 13, 14 Severity MEDIUMHas FixAdded at: Oct 28, 2025
GitHub Advisory Database
- Maven Severity LOWHas FixAdded at: Oct 29, 2025
Red Hat Errata
- Red Hat 6, 7, 8, 9, 10 Severity MEDIUMNo FixAdded at: Oct 28, 2025
VulnCheck NVD++
- Linux Severity MEDIUMHas FixAdded at: Oct 28, 2025
- Windows Severity MEDIUMHas FixAdded at: Oct 28, 2025

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related Java vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-55754	CRITICAL	9.6	Java	tomcat6-webapps	No	Yes	Oct 27, 2025
CVE-2025-62782	MEDIUM	5.9	Java	de.themoep:inventorygui	No	Yes	Oct 27, 2025
CVE-2025-62784	MEDIUM	5.3	Java	de.themoep:inventorygui	No	Yes	Oct 27, 2025
CVE-2025-61795	MEDIUM	5.3	Java	tomcat-docs-webapp	No	Yes	Oct 27, 2025
CVE-2025-62783	MEDIUM	5	Java	de.themoep:inventorygui	No	Yes	Oct 27, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2025-61795: Java vulnerability analysis and mitigation