Here are some news items our team found interesting over the past week, which you might have missed.
-
Apache Tomcat versions prior to 11.0.12, 10.1.47, and 9.0.110 have a moderate risk (CVSS 5.3) DoS vulnerability related to delayed cleanup on multipart uploads (CVE-2025-61795). Essentially, Tomcat waits too long to cleanup leftover files that are uploaded in parts but not finished; malicious actors could use this to fill up disk and create a denial of service (DoS) or generate billing problems for a cloud filesystem. An interesting and easy-to-exploit vulnerability, but easy to mitigate (with uploads on a filesystem with well-managed quotas and monitoring). The vulnerable ranges include:
>=8.5.0 <=8.5.100,>=9.0.0.M1 <9.0.110,>=10.1.0-M1 <10.1.47, and>=11.0.0-M1 <11.0.12. Confirm by runningcatalina.sh version.
- Vercel’s AI SDK for TypeScript applications has a weakness in its feature to download files from remote hosts. It uses an allowlist to ensure only safe file types are accepted; CVE-2025-48985 (CVSS 3.7) is relatively minor, but represents a flaw in that logic that can allow a clever attacker to bypass the allowlist and send an unsafe file type. This is an index error. The severity is low due to low direct impacts and complexity of the attack; however, it would be useful in a foothold attack where the goal was to poison AI context to attack the AI.
Zero Research Updates. Subscribe today!
Another Tomcat CVE: DoS on multipart uploads
Apache Tomcat versions prior to 11.0.12, 10.1.47, and 9.0.110 have a moderate risk (CVSS 5.3) DoS vulnerability related to delayed cleanup on multipart uploads (CVE-2025-61795). Essentially, Tomcat waits too long to cleanup leftover files that are uploaded in parts but not finished; malicious actors could use this to fill up disk and create a denial of service (DoS) or generate billing problems for a cloud filesystem. An interesting and easy-to-exploit vulnerability, but easy to mitigate (with uploads on a filesystem with well-managed quotas and monitoring). The vulnerable ranges include: >=8.5.0 <=8.5.100, >=9.0.0.M1 <9.0.110, >=10.1.0-M1 <10.1.47, and >=11.0.0-M1 <11.0.12. Confirm by running catalina.sh version.
This issue results from the way multipart uploads work; the feature allows a larger file to be uploaded in multiple POST requests, allowing a file larger than the POST body size limit to be uploaded in pieces and reassembled. Each piece is stored in a temporary directory. When all pieces are uploaded, the final file is constructed and the temporary files removed.
An attacker could start many new uploads, but never finish them, meaning the pieces will sit on disk until cleaned up. Tomcat waits too long to detect this and clean up the temporary files, and the fix improves this detection logic.
Vercel’s AI SDK can be tricked into accepting unsafe file types
Vercel’s AI SDK (before version 5.0.52) for TypeScript applications has a weakness in its feature to download files from remote hosts. It uses an allowlist to ensure only safe file types are accepted; CVE-2025-48985 (CVSS 3.7) is relatively minor, but represents a flaw in that logic that can allow a clever attacker to bypass the allowlist and send an unsafe file type. This is an index error. The severity is low due to low direct impacts and complexity of the attack; however, it would be useful in a foothold attack where the goal was to poison AI context to attack the AI. Update to ai@5.0.52 or newer.
You can examine a project’s package definition file to identify affected projects, using commands like
npm ls ai # for NPM-based projects
yarn why ai # for Yarn-based projectsOr, if you’re a Checkmarx SCA customer, you can use your Global Inventory view to quickly identify all scanned projects that depend on the vulnerable version.