Apache: >> Commons Fileupload >> 1.3 Security Vulnerabilities
Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload.
This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4.
Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.
CVSS Score
7.5
EPSS Score
0.001
Published
2025-06-16
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.
Note that, like all of the file upload limits, the
new configuration option (FileUploadBase#setFileCountMax) is not
enabled by default and must be explicitly configured.
CVSS Score
7.5
EPSS Score
0.315
Published
2023-02-20
Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution
CVSS Score
9.8
EPSS Score
0.291
Published
2016-10-25
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
CVSS Score
7.5
EPSS Score
0.219
Published
2016-07-04
MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.
CVSS Score
7.5
EPSS Score
0.927
Published
2014-04-01