Hi, On Mon, Jun 23, 2025 at 12:12 PM Charpe, Anil <acha...@ptc.com.invalid> wrote: > > Hi, > It is about the CVE-2025-48988 mentioned in the email subject. > I have a question that- if we update the "Apache Commons FileUpload" jar to > the version which fixes the CVE-2025-48976; in that case, do we still need to > update the Apache Tomcat to 9.0.106, 10.1.42 & 11.0.8 which has > CVE-2025-48988 fixed ? > Or is it not needed to update the Tomcat to these versions ?
You need to upgrade Tomcat since it uses its own internal copy of fileupload to process the Servlet API multipart functionality. Be aware of https://bz.apache.org/bugzilla/show_bug.cgi?id=69710 and adjust the maxPartCount parameter on the Connector according to your needs. If you are parsing multipart using fileupload directly, then you could only upgrade fileupload itself. Rémy > Thanks & Regards, --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
