CVE-2025-61795 is a vulnerability classified under CWE-404 (Improper Resource Shutdown or Release) found in Apache Tomcat versions 8.5.0 through 11.0.11. The issue arises during the processing of multipart uploads when an error occurs, such as exceeding configured limits. In these cases, temporary files created on disk to hold parts of the upload are not immediately deleted but instead rely on the Java Virtual Machine's garbage collection (GC) to eventually clean them up. Depending on JVM configuration, application memory usage, and server load, this delayed cleanup can cause the disk space allocated for these temporary files to fill up faster than GC can reclaim it. This resource exhaustion leads to a denial-of-service (DoS) condition, where the Tomcat server may become unresponsive or fail to process further requests. The vulnerability affects multiple major branches of Tomcat: 8.5.x (EOL but still in use), 9.0.x, 10.1.x, and 11.0.x. The flaw does not compromise confidentiality or integrity but impacts availability. Exploitation requires network access and low privileges but no user interaction, making it feasible for remote attackers to trigger. The Apache Software Foundation has addressed this issue in versions 11.0.12, 10.1.47, and 9.0.110 and later. No known exploits have been reported in the wild at the time of publication. Organizations running affected Tomcat versions should upgrade promptly to mitigate the risk of DoS attacks stemming from multipart upload handling.

For European organizations, the primary impact of CVE-2025-61795 is the risk of denial-of-service attacks that can disrupt web services hosted on Apache Tomcat servers. Many European enterprises, government agencies, and service providers rely on Tomcat for Java-based web applications, including critical infrastructure and customer-facing portals. A successful exploitation could lead to service outages, impacting business continuity, customer trust, and regulatory compliance, especially under GDPR where availability is a component of data protection. The vulnerability does not expose sensitive data or allow unauthorized changes but can degrade operational reliability. Organizations with high-volume upload services or those with JVM configurations that delay garbage collection are particularly vulnerable. The potential for attackers to remotely trigger resource exhaustion without user interaction increases the threat surface. This can also affect cloud-hosted Tomcat instances commonly used by European companies, amplifying the risk of widespread service degradation or downtime.

1. Upgrade Apache Tomcat to the fixed versions: 11.0.12 or later, 10.1.47 or later, or 9.0.110 or later as soon as possible to ensure the vulnerability is patched. 2. Review and optimize JVM garbage collection settings to improve the timely cleanup of temporary files, reducing the risk of disk space exhaustion. 3. Implement monitoring and alerting on disk usage, particularly in directories used for multipart uploads, to detect abnormal growth early. 4. Configure upload size limits and error handling to minimize the creation of excessive temporary files. 5. Use web application firewalls (WAFs) or rate limiting to restrict the frequency of multipart upload requests from untrusted sources. 6. Conduct regular audits of Tomcat server configurations and logs to identify signs of attempted exploitation or resource exhaustion. 7. For legacy systems that cannot be immediately upgraded, consider isolating Tomcat instances and applying strict resource quotas at the OS level to contain potential DoS impact. 8. Educate DevOps and security teams about this vulnerability to ensure rapid response and patch management.