Apache Tomcat DoS Flaw: Multipart Upload File Cleanup Failure Exposes Disk Space Exhaustion Risk

A denial-of-service vulnerability has been identified in Apache Tomcat versions 9.x through 11.x, stemming from improper handling of temporary files during failed multipart upload operations. The flaw, tracked as an Improper Resource Shutdown or Release vulnerability, allows temporary copies of uploaded parts to persist on disk when errors occur—including when upload limits are exceeded—instead of being immediately deleted.

Under certain conditions, the accumulation of these unreleased temporary files can outpace the Java garbage collection process. JVM settings, application memory usage, and server load determine whether disk space depletes faster than the system can reclaim it, potentially rendering the service unavailable. The vulnerability affects Tomcat versions 11.0.0-M1 through 11.0.11, 10.1.0-M1 through 10.1.46, and 9.0.0.M1 through 9.0.109. Additionally, end-of-life versions 8.5.0 through 8.5.100 are confirmed affected, with older EOL releases possibly also at risk.

Users are advised to upgrade to Tomcat 11.0.12, 10.1.47, or 9.0.110 and later. For applications using the embedded Tomcat library, upgrading org.apache.tomcat.embed:tomcat-embed-core to version 10.1 or higher addresses the issue. Organizations running affected Tomcat instances should prioritize patching, particularly those handling high volumes of multipart file uploads where the likelihood of encountering related errors is elevated.