FixVibe
Covered by FixVibehigh

Apache Tomcat Coyote Improper Resource Shutdown or Release (CVE-2025-48989)

Apache Tomcat Coyote and embedded-core releases in affected 9.0.x, 10.1.x, and 11.0.x lines are vulnerable to CVE-2025-48989, a high-severity HTTP/2 denial-of-service advisory. FixVibe covers this as a repo-scan, version-based advisory when Maven or Gradle build evidence points to an affected Tomcat release line.

CVE-2025-48989GHSA-gqp3-2cvr-x8m3CWE-404

Attacker Impact

CVE-2025-48989 is a high-severity Apache Tomcat HTTP/2 denial-of-service advisory. Affected Tomcat releases can be vulnerable to the MadeYouReset attack, where resource handling failures may lead to resource exhaustion such as OutOfMemoryError and service unavailability [S1][S2].

The advisory covers Apache Tomcat 11.0.0-M1 through 11.0.9, 10.1.0-M1 through 10.1.43, and 9.0.0.M1 through 9.0.107. Older end-of-life Tomcat versions may also be affected [S2][S3].

Root Cause

The issue is an improper resource shutdown or release condition (CWE-404) in Tomcat's HTTP/2 handling. The affected Maven packages include org.apache.tomcat:tomcat-coyote and org.apache.tomcat.embed:tomcat-embed-core, which are commonly pulled into Java services directly, through a BOM or parent POM, through Spring Boot dependency management, or through an application server/container image [S2].

A dependency match is not the same as confirmed runtime exposure. Production risk depends on the dependency that actually ships, whether the vulnerable Tomcat release line is deployed, and whether the affected HTTP/2 path is enabled and reachable.

Concrete Fixes

Upgrade the deployed Tomcat release line to a fixed version [S2][S3]:

  • Tomcat 11.x: upgrade to 11.0.10 or newer.
  • Tomcat 10.1.x: upgrade to 10.1.44 or newer.
  • Tomcat 9.0.x: upgrade to 9.0.108 or newer.

For embedded Tomcat, update direct tomcat-coyote / tomcat-embed-core declarations, Tomcat BOMs, Spring Boot-managed versions, or Gradle constraints so the active dependency tree resolves only to a fixed release line. For external Tomcat deployments, upgrade the server package or container base image and redeploy the artifact that actually serves traffic.

Covered by FixVibe

FixVibe GitHub repo scans now cover this advisory as a version-based advisory. When a connected repository contains Maven or Gradle build evidence for affected Tomcat Coyote or embedded-core release lines, FixVibe reports the matching package, file path, version or constraint, confidence, evidence posture, detection type, advisory sources, fixed release line, and what could not be verified from source alone.

FixVibe verifies repository dependency evidence. It does not send HTTP/2 reset traffic, run denial-of-service probes, confirm that HTTP/2 is enabled, or prove that the matched dependency is the runtime serving production traffic. Teams should use the finding to drive dependency-tree review, artifact rebuild, deployment verification, and a normal application smoke test after upgrade.