VYPR
High severityNVD Advisory· Published Feb 20, 2023· Updated Nov 3, 2025

Apache Commons FileUpload, Apache Tomcat: FileUpload DoS with excessive parts

CVE-2023-24998

Description

Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.

Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
commons-fileupload:commons-fileuploadMaven
< 1.51.5
org.apache.tomcat:tomcat-coyoteMaven
>= 10.1.0-M1, < 10.1.510.1.5
org.apache.tomcat:tomcat-coyoteMaven
>= 11.0.0-M2, < 11.0.0-M511.0.0-M5
org.apache.tomcat:tomcat-coyoteMaven
>= 8.5.85, < 8.5.888.5.88
org.apache.tomcat:tomcat-coyoteMaven
>= 9.0.0-M1, < 9.0.719.0.71
org.apache.tomcat.embed:tomcat-embed-coreMaven
>= 10.1.0-M1, < 10.1.510.1.5
org.apache.tomcat.embed:tomcat-embed-coreMaven
>= 11.0.0-M2, < 11.0.0-M511.0.0-M5
org.apache.tomcat.embed:tomcat-embed-coreMaven
>= 8.5.85, < 8.5.888.5.88
org.apache.tomcat.embed:tomcat-embed-coreMaven
>= 9.0.0-M1, < 9.0.719.0.71
org.apache.tomcat:tomcat-catalinaMaven
>= 10.1.0-M1, < 10.1.510.1.5
org.apache.tomcat:tomcat-catalinaMaven
>= 11.0.0-M2, < 11.0.0-M511.0.0-M5
org.apache.tomcat:tomcat-catalinaMaven
>= 8.5.85, < 8.5.888.5.88
org.apache.tomcat:tomcat-catalinaMaven
>= 9.0.0-M1, < 9.0.719.0.71

Affected products

75

Patches

Vulnerability mechanics

References

20

News mentions

1