Cyber Resilience

CVE-2023-24998

HighDDoS

Published: 20 February 2023

Published
20 February 2023
Modified
03 November 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.3716 97.3th percentile
Risk Priority 37 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-24998 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Apache Commons Fileupload. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 2.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Apache Commons FileUpload before version 1.5 is affected by a denial-of-service vulnerability in which the library imposes no limit on the number of request parts that will be processed during a multipart upload. The flaw is tracked as CWE-770 and carries a CVSS 3.1 base score of 7.5, reflecting network attackability without authentication or user interaction and a high impact on availability.

An unauthenticated remote attacker can submit a single malicious multipart request or a sustained series of such requests containing an excessive number of parts. Because the component continues to allocate resources for every part, the target application or service can be driven into resource exhaustion, resulting in a denial of service.

Advisories from the Apache project, Debian, and Gentoo indicate that the issue is resolved in FileUpload 1.5 by the addition of the FileUploadBase#setFileCountMax configuration option; however, the limit is not enabled by default and must be explicitly set by integrators. Corresponding package updates have been issued for affected distributions, including Debian DSA-5522 and Gentoo GLSA-202305-37.

The CVE’s EPSS score reached a peak of 0.5353 before receding to its current value of 0.3774, indicating measurable post-disclosure interest in exploitation.

EU & UK References

Vulnerability details

Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the…

more

file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
commons fileupload
1.0 · 1.0 — 1.5
debian
debian linux
11.0, 9.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-770

This control implements explicit throttling on session allocation, addressing the weakness of allocating resources without limits.

addresses: CWE-770

Plan testing exercises resource allocation limits and throttling during simulated failures, directly addressing weaknesses that allow unbounded resource use.

addresses: CWE-770

Contingency plan updates ensure recovery strategies address unbounded resource allocation, making it harder for attackers to exploit lack of throttling to cause prolonged outages.

addresses: CWE-770

Provides continuity when unbounded resource allocation at the primary site leads to exhaustion and downtime.

addresses: CWE-770

Alternate services allow operations to continue when primary allocation of resources lacks limits or throttling.

addresses: CWE-770

Explicit planning of security-related actions requires defining limits, windows, and resource allocations, making allocation without throttling far less likely.

addresses: CWE-770

Measures of performance include tracking allocation behavior and throttling effectiveness, reducing the window for resource exhaustion attacks.

addresses: CWE-770

Imposes an inactivity-based limit on network resource allocation, throttling the number of concurrently held connections.

References