Apache Tomcat: FileUpload: DoS due to accumulation of temporary files on Windows
Description
Incomplete Cleanup vulnerability in Apache Tomcat.
The internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased, in progress refactoring that exposed a potential denial of service on Windows if a web application opened a stream for an uploaded file but failed to close the stream. The file would never be deleted from disk creating the possibility of an eventual denial of service due to the disk being full.
Other, EOL versions may also be affected.
Users are recommended to upgrade to version 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Tomcat on Windows fails to clean up temporary uploaded files if the stream is not closed, leading to disk full denial of service.
Vulnerability
Overview
CVE-2023-42794 is an incomplete cleanup vulnerability in Apache Tomcat's internal fork of Commons FileUpload, affecting versions 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 on Windows [1]. The flaw originates from an unreleased refactoring that introduced a failure to delete temporary files when a web application opens an uploaded file stream but does not close it [2].
Exploitation
Conditions
On Windows platforms, if a web application opens an InputStream for an uploaded file and fails to properly close it, the temporary file remains on disk indefinitely [2]. No special privileges or authentication is required beyond the ability to upload files through a vulnerable Tomcat-based application. The attack surface is limited to applications that rely on Tomcat's file upload handling and misuse the stream lifecycle.
Impact
An attacker can repeatedly exploit this memory leak by uploading files, causing temporary files to accumulate on disk over time [1]. Because the files are never deleted, this can lead to the filesystem becoming full, resulting in a denial of service (DoS) condition where the server can no longer operate normally [2]. The impact is cumulative and may take time to manifest, but it does not require high complexity or privileges.
Mitigation
Apache has addressed the issue in Tomcat 9.0.81 and 8.5.94 [1]. Users are strongly recommended to upgrade to these or later versions. As an interim workaround, applications should ensure that all input streams for uploaded files are properly closed in a finally block. End-of-life (EOL) Tomcat versions may also be vulnerable but will not receive patches [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tomcat:tomcat-coyoteMaven | >= 9.0.70, < 9.0.81 | 9.0.81 |
org.apache.tomcat:tomcat-coyoteMaven | >= 8.5.85, < 8.5.94 | 8.5.94 |
Affected products
38- osv-coords37 versionspkg:apk/chainguard/tomcat-8.5.87-jamf-compatpkg:bitnami/tomcatpkg:deb/ubuntu/tomcat10@10.1.16-1?arch=source&distro=noblepkg:deb/ubuntu/tomcat10@10.1.25-1?arch=source&distro=oracularpkg:deb/ubuntu/tomcat10@10.1.35-1?arch=source&distro=pluckypkg:deb/ubuntu/tomcat8@8.0.32-1ubuntu1.13+esm1?arch=source&distro=esm-infra/xenialpkg:deb/ubuntu/tomcat8@8.5.39-1ubuntu1~18.04.3+esm5?arch=source&distro=esm-apps/bionicpkg:deb/ubuntu/tomcat9@9.0.16-3ubuntu0.18.04.2+esm7?arch=source&distro=esm-apps/bionicpkg:deb/ubuntu/tomcat9@9.0.31-1ubuntu0.9+esm2?arch=source&distro=esm-apps/focalpkg:deb/ubuntu/tomcat9@9.0.58-1ubuntu0.2?arch=source&distro=jammypkg:deb/ubuntu/tomcat9@9.0.70-2ubuntu0.1?arch=source&distro=noblepkg:deb/ubuntu/tomcat9@9.0.70-2ubuntu1.24.10.2?arch=source&distro=oracularpkg:deb/ubuntu/tomcat9@9.0.70-2ubuntu1.25.04.2?arch=source&distro=pluckypkg:maven/org.apache.tomcat/tomcat-coyotepkg:rpm/almalinux/tomcatpkg:rpm/almalinux/tomcat-admin-webappspkg:rpm/almalinux/tomcat-docs-webapppkg:rpm/almalinux/tomcat-el-3.0-apipkg:rpm/almalinux/tomcat-jsp-2.3-apipkg:rpm/almalinux/tomcat-libpkg:rpm/almalinux/tomcat-servlet-4.0-apipkg:rpm/almalinux/tomcat-webappspkg:rpm/opensuse/tomcat&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/tomcat&distro=openSUSE%20Tumbleweedpkg:rpm/suse/tomcat&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/tomcat&distro=SUSE%20Manager%20Server%204.3
< 8.5.87-r3+ 36 more
- (no CPE)range: < 8.5.87-r3
- (no CPE)range: >= 8.5.85, < 8.5.94
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 9.0.70, < 9.0.81
- (no CPE)range: < 1:9.0.62-27.el8_9.2
- (no CPE)range: < 1:9.0.62-27.el8_9.2
- (no CPE)range: < 1:9.0.62-27.el8_9.2
- (no CPE)range: < 1:9.0.62-27.el8_9.2
- (no CPE)range: < 1:9.0.62-27.el8_9.2
- (no CPE)range: < 1:9.0.62-27.el8_9.2
- (no CPE)range: < 1:9.0.62-27.el8_9.2
- (no CPE)range: < 1:9.0.62-27.el8_9.2
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.82-2.1
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.85-150200.57.1
- (no CPE)range: < 9.0.85-150200.57.1
- Apache Software Foundation/Apache Tomcatv5Range: 9.0.70
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-jm7m-8jh6-29hpghsaADVISORY
- lists.apache.org/thread/vvbr2ms7lockj1hlhz5q3wmxb2mwcw82ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-42794ghsaADVISORY
- www.openwall.com/lists/oss-security/2023/10/10/8ghsaWEB
News mentions
0No linked articles in our index yet.