CVE-2025-52520 (High) detected in tomcat-embed-core-9.0.56.jar

## CVE-2025-52520 - High Severity Vulnerability
<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/vulnerability_details.png' width=19 height=20> Vulnerable Library - tomcat-embed-core-9.0.56.jar</summary>

Core Tomcat implementation
Library home page: <a href="https://tomcat.apache.org/">https://tomcat.apache.org/</a>
Path to dependency file: /src/examples/JavaSpring/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.56/tomcat-embed-core-9.0.56.jar


Dependency Hierarchy:
 - spring-boot-starter-web-2.6.2.jar (Root Library)
 - spring-boot-starter-tomcat-2.6.2.jar
 - :x: **tomcat-embed-core-9.0.56.jar** (Vulnerable Library)
Found in HEAD commit: <a href="https://github.com/ignatandrei/BlocklyAutomation/commit/65d823526ff5e577818e96e962ef7b7fa50ec76a">65d823526ff5e577818e96e962ef7b7fa50ec76a</a>
Found in base branch: main

</details>

<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/high_vul.png?' width=19 height=20> Vulnerability Details</summary>
 
 
For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size limits.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions
may also be affected.
Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.
 Mend Note: The description of this vulnerability differs from MITRE. 

Publish Date: 2025-07-10
URL: <a href=https://www.mend.io/vulnerability-database/CVE-2025-52520>CVE-2025-52520</a>

</details>

<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/cvss3.png' width=19 height=20> CVSS 3 Score Details (7.5)</summary>


Base Score Metrics:
- Exploitability Metrics:
 - Attack Vector: Network
 - Attack Complexity: Low
 - Privileges Required: None
 - User Interaction: None
 - Scope: Unchanged
- Impact Metrics:
 - Confidentiality Impact: None
 - Integrity Impact: None
 - Availability Impact: High

For more information on CVSS3 Scores, click <a href="https://www.first.org/cvss/calculator/3.0">here</a>.

</details>

<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/suggested_fix.png' width=19 height=20> Suggested Fix</summary>


Type: Upgrade version
Origin: <a href="https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.107">https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.107</a>
Release Date: 2025-07-06
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.107
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.0


</details>


***
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

CVE-2025-52520 (High) detected in tomcat-embed-core-9.0.56.jar #331

CVE-2025-52520 - High Severity Vulnerability

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Uh oh!

CVE-2025-52520 (High) detected in tomcat-embed-core-9.0.56.jar #331

Description

CVE-2025-52520 - High Severity Vulnerability

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions