GHSA-hfrx-6qgj-fp6cHighCVSS 7.5

Apache Commons FileUpload denial of service vulnerability

Published
February 20, 2023
Last Modified
June 18, 2026

🔗 CVE IDs covered (1)

📋 Description

Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.

🎯 Affected products13

  • maven/commons-fileupload:commons-fileupload:< 1.5
  • maven/org.apache.tomcat:tomcat-coyote:>= 10.1.0-M1, < 10.1.5
  • maven/org.apache.tomcat:tomcat-coyote:>= 11.0.0-M2, < 11.0.0-M5
  • maven/org.apache.tomcat:tomcat-coyote:>= 8.5.85, < 8.5.88
  • maven/org.apache.tomcat:tomcat-coyote:>= 9.0.0-M1, < 9.0.71
  • maven/org.apache.tomcat.embed:tomcat-embed-core:>= 10.1.0-M1, < 10.1.5
  • maven/org.apache.tomcat.embed:tomcat-embed-core:>= 11.0.0-M2, < 11.0.0-M5
  • maven/org.apache.tomcat.embed:tomcat-embed-core:>= 8.5.85, < 8.5.88
  • maven/org.apache.tomcat.embed:tomcat-embed-core:>= 9.0.0-M1, < 9.0.71
  • maven/org.apache.tomcat:tomcat-catalina:>= 10.1.0-M1, < 10.1.5
  • maven/org.apache.tomcat:tomcat-catalina:>= 11.0.0-M2, < 11.0.0-M5
  • maven/org.apache.tomcat:tomcat-catalina:>= 8.5.85, < 8.5.88
  • maven/org.apache.tomcat:tomcat-catalina:>= 9.0.0-M1, < 9.0.71

🔗 References (21)