VIR Vulnerability Intelligence Relay

CVE-2025-48989

high
Published 2025-08-20 · Modified 2025-08-22
CVSS v3
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS v2
VIR risk
7.5

Description

Important: tomcat security update

Predictions

Exploit likelihood
83%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: alma — https://errata.almalinux.org/9/ALSA-2025-14181.html

vendor Authored 2026-05-27

Vendor advisory: alma — https://errata.almalinux.org/8/ALSA-2025-14177.html

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2379386

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2379382

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2379374

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2373309

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2373020

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2373018

vendor Authored 2026-05-27

Vendor advisory: alma — https://bugzilla.redhat.com/2373015

vendor Authored 2026-05-27

Vendor advisory: alma — https://access.redhat.com/errata/RHSA-2025:14177

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2025-48989

vendor Authored 2026-05-27

Vendor advisory: rocky — https://errata.rockylinux.org/RLSA-2025:14181

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2025-48989.html

vendor Authored 2026-05-27

Vendor advisory: rocky — https://errata.rockylinux.org/RLSA-2025:14177

vendor Authored 2026-05-27

Vendor advisory: security@apache.org — https://lists.apache.org/thread/9ydfg0xr0tchmglcprhxgwhj0hfwxlyf

vendor Authored 2026-05-27

Vendor advisory: redhat — https://access.redhat.com/errata/RHSA-2025:14181

OS impact
OSVersionStatusFixed in
redhat rhel9fixed
rockylinux rocky8fixed
suse slesaffected
rockylinux rocky9fixed
debian debianbookwormfixed10.1.52-1~deb12u1
debian debianforkyfixed10.1.52-1
debian debiansidfixed10.1.52-1
debian debiantrixiefixed10.1.52-1~deb13u1
debian debianbullseyefixed9.0.70-2

Package impact
EcosystemPackageVulnerableFixed
java Mavenorg.apache.tomcat:tomcat-coyote>=11.0.0-M1,<11.0.1011.0.10
java Mavenorg.apache.tomcat:tomcat-coyote>=10.1.0-M1,<10.1.4410.1.44
java Mavenorg.apache.tomcat:tomcat-coyote>=9.0.0.M1,<9.0.1089.0.108
java Mavenorg.apache.tomcat.embed:tomcat-embed-core>=11.0.0-M1,<11.0.1011.0.10
java Mavenorg.apache.tomcat.embed:tomcat-embed-core>=10.1.0-M1,<10.1.4410.1.44
java Mavenorg.apache.tomcat.embed:tomcat-embed-core>=9.0.0.M1,<9.0.1089.0.108
java MAVENorg.apache.tomcat.embed:tomcat-embed-core>= 9.0.0.M1, < 9.0.1089.0.108
java MAVENorg.apache.tomcat.embed:tomcat-embed-core>= 10.1.0-M1, < 10.1.4410.1.44
java MAVENorg.apache.tomcat.embed:tomcat-embed-core>= 11.0.0-M1, < 11.0.1011.0.10
java MAVENorg.apache.tomcat:tomcat-coyote>= 9.0.0.M1, < 9.0.1089.0.108
java MAVENorg.apache.tomcat:tomcat-coyote>= 10.1.0-M1, < 10.1.4410.1.44
java MAVENorg.apache.tomcat:tomcat-coyote>= 11.0.0-M1, < 11.0.1011.0.10

Application impact
VendorProductVersionsFixed
apache apachetomcat{"startIncluding":"9.0.1","endExcluding":"9.0.108"}9.0.108
apache apachetomcat9.0.0

References

CWEs

CWE-404

Verify integrity in audit chain (admin only). AS-IS.