MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.
CVE-2014-0050
Score elevated to 9.0 because EPSS predicts 93% probability of exploitation within the next 30 days (top 0.2% of all CVEs). Confidence: see factors.
- 9 internet-exposed hosts are running an affected version right now
- High exploitation likelihood — EPSS 83%
A fix is available — apply it.
9 internet-exposed hosts are running an affected version of CVE-2014-0050 right now.
EchelonGraph is the only CVE feed that fuses live vulnerability intelligence with its own live internet-exposure radar — so you see not just that a CVE is exploited, but how much of the internet is exposed to it right now.
- CVSS v3
- —
- EG Score
- 9.0(low)
- EPSS
- 99.6%
- KEV
- Not listed
Published
April 1, 2014
Last Modified
May 6, 2026
References (138)
- secalert@redhathttp://advisories.mageia.org/MGASA-2014-0110.html
- secalert@redhathttp://blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html
- secalert@redhathttp://jvn.jp/en/jp/JVN14876762/index.html
- secalert@redhathttp://jvndb.jvn.jp/jvndb/JVNDB-2014-000017
- secalert@redhathttp://mail-archives.apache.org/mod_mbox/commons-dev/201402.mbox/%3C52F373FC.9030907%40apache.org%3E
- secalert@redhathttp://marc.info/?l=bugtraq&m=143136844732487&w=2
- secalert@redhathttp://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.html
- secalert@redhathttp://rhn.redhat.com/errata/RHSA-2014-0252.html
- secalert@redhathttp://rhn.redhat.com/errata/RHSA-2014-0253.html
- secalert@redhathttp://rhn.redhat.com/errata/RHSA-2014-0400.html
- secalert@redhathttp://seclists.org/fulldisclosure/2014/Dec/23
- secalert@redhathttp://secunia.com/advisories/57915
- secalert@redhathttp://secunia.com/advisories/58075
- secalert@redhathttp://secunia.com/advisories/58976
- secalert@redhathttp://secunia.com/advisories/59039
Vendor Advisories for CVE-2014-0050(2)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
Patch Availability(12)
| Vendor / Ecosystem | Fixed in / Patch | Released | Source |
|---|---|---|---|
| ubuntu | libtomcat7-java (7.0.42-1ubuntu0.1) @ saucy | 2026-05-28 | ubuntu |
| redhat | jbossweb | 2015-05-14 | redhat |
| redhat | tomcat6 | 2014-05-21 | redhat |
| redhat | tomcat7-0:7.0.40-9_patch_02.ep6.el6 | 2014-05-21 | redhat |
| redhat | tomcat6-0:6.0.37-27_patch_04.ep6.el6 | 2014-05-21 | redhat |
| redhat | tomcat7 | 2014-05-21 | redhat |
| redhat | patch | 2014-05-06 | redhat |
| redhat | patch | 2014-04-30 | redhat |
| redhat | tomcat6-0:6.0.24-64.el6_5 | 2014-04-23 | redhat |
| redhat | patch | 2014-04-14 | redhat |
| redhat | patch | 2014-04-14 | redhat |
| redhat | jbossweb-0:7.3.0-2.Final_redhat_2.1.ep6.el6 | 2014-03-05 | redhat |
Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.
Affected Packages
(2 across 1 ecosystem)
Maven(2)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| commons-fileupload:commons-fileupload | 1.0 ... 1.3 (9 versions) | 1.3.1 | — |
| org.apache.tomcat:tomcat | 7.0.35 ... 7.0.50 (8 versions) | 7.0.52 | — |
Additional Vendor Advisories
(13)
Vendors that published advisories for this CVE beyond the curated set above. Broader coverage but minimal per-row detail — click through for the original advisory.
- Red HatRHSA-2014:0252MODERATE2014-02-06
RHSA-2014:0252 — Moderate
- Red HatRHSA-2014:0253MODERATE2014-02-06
RHSA-2014:0253 — Moderate
- Red HatRHSA-2014:0373MODERATE2014-02-06
RHSA-2014:0373 — Moderate
- Red HatRHSA-2014:0401MODERATE2014-02-06
RHSA-2014:0401 — Moderate
- Red HatRHSA-2014:0429MODERATE2014-02-06
RHSA-2014:0429 — Moderate
- Red HatRHSA-2014:0452MODERATE2014-02-06
RHSA-2014:0452 — Moderate
- Red HatRHSA-2014:0459MODERATE2014-02-06
RHSA-2014:0459 — Moderate
- Red HatRHSA-2014:0473MODERATE2014-02-06
RHSA-2014:0473 — Moderate
- Red HatRHSA-2014:0525MODERATE2014-02-06
RHSA-2014:0525 — Moderate
- Red HatRHSA-2014:0526MODERATE2014-02-06
RHSA-2014:0526 — Moderate
- Red HatRHSA-2014:0527MODERATE2014-02-06
RHSA-2014:0527 — Moderate
- Red HatRHSA-2014:0528MODERATE2014-02-06
RHSA-2014:0528 — Moderate
- UbuntuUSN-2130-1MEDIUM
Tomcat vulnerabilities
Data Freshness Timeline
(refreshed 3× in last 7d / 27× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-05 01:26 UTCOSV refresh
- 2026-07-04 06:27 UTCEPSS rescore
- 2026-07-02 15:21 UTCEPSS rescore
- 2026-06-28 04:53 UTCEPSS rescore
- 2026-06-28 04:53 UTCEPSS rescore
- 2026-06-25 13:47 UTCEPSS rescore
- 2026-06-25 13:47 UTCEPSS rescore
- 2026-06-23 21:30 UTCEPSS rescore
- 2026-06-23 21:30 UTCEPSS rescore
- 2026-06-22 14:22 UTCEPSS rescore
- 2026-06-22 14:22 UTCEPSS rescore
- 2026-06-21 14:53 UTCEPSS rescore
- 2026-06-21 01:57 UTCEPSS rescore
- 2026-06-21 01:57 UTCEPSS rescore
- 2026-06-18 17:49 UTCEPSS rescore
- 2026-06-18 17:49 UTCEPSS rescore
- 2026-06-17 17:49 UTCEPSS rescore
- 2026-06-17 17:49 UTCEPSS rescore
- 2026-06-16 17:49 UTCEPSS rescore
- 2026-06-16 17:49 UTCEPSS rescore
- 2026-06-16 17:49 UTCEPSS rescore
- 2026-06-16 13:13 UTCOSV refresh
- 2026-06-15 17:44 UTCEPSS rescore
- 2026-06-12 23:08 UTCEPSS rescore
- 2026-06-11 13:56 UTCEPSS rescore
Show 20 moreShow fewer
- 2026-06-10 22:15 UTCEPSS rescore
- 2026-06-08 14:14 UTCEPSS rescore
- 2026-06-05 22:44 UTCEPSS rescore
- 2026-06-05 22:44 UTCEPSS rescore
- 2026-05-31 00:14 UTCEPSS rescore
- 2026-05-31 00:14 UTCEPSS rescore
- 2026-05-29 13:41 UTCEPSS rescore
- 2026-05-29 13:41 UTCEPSS rescore
- 2026-05-28 19:43 UTCEG score recompute
- 2026-05-28 19:43 UTCVendor advisory
- 2026-05-28 13:42 UTCEPSS rescore
- 2026-05-28 13:42 UTCEPSS rescore
- 2026-05-28 13:42 UTCEPSS rescore
- 2026-05-27 13:38 UTCEPSS rescore
- 2026-05-27 13:38 UTCEPSS rescore
- 2026-05-22 19:13 UTCOSV refresh
- 2026-05-20 22:37 UTCEPSS rescore
- 2026-05-20 22:37 UTCEPSS rescore
- 2026-05-18 21:29 UTCEPSS rescore
- 2026-05-18 21:29 UTCEPSS rescore
Publicly available exploits
(2 references)Working exploit code is in the public domain (1 Metasploit module) (1 Exploit-DB entry). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
- Exploit-DBEDB-31615✓ verifiedFirst seen Feb 12, 2014
Apache Commons FileUpload and Apache Tomcat - Denial of Service
Open source ↗ - Metasploitauxiliary/dos/http/apache_commons_fileupload_dos✓ verifiedFirst seen Feb 6, 2014
Apache Commons FileUpload and Apache Tomcat DoS
Open source ↗
Frequently asked(4)
What is CVE-2014-0050?
When was CVE-2014-0050 disclosed?
Is CVE-2014-0050 actively exploited?
How do I remediate CVE-2014-0050?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2014-0050
Is Your Infrastructure Affected by CVE-2014-0050?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.