SB2025061927 - cPanel EasyApache4 update for Apache Tomcat
Published: June 19, 2025 Updated: June 27, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Resource exhaustion (CVE-ID: CVE-2025-48976)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to Apache Commons FileUpload provided a hard-coded limit of 10kB for the size of the headers associated with a multipart request. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
2) Resource exhaustion (CVE-ID: CVE-2025-48988)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when handling multipart requests. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
3) Improper Protection of Alternate Path (CVE-ID: CVE-2025-49125)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to improper access restrictions when using PreResources or PostResources mounted other than at the root of the web application. A remote attacker can bypass configured security rules using a alternate path and gain unauthorized access to the application.
4) Untrusted search path (CVE-ID: CVE-2025-49124)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to usage of an untrusted search path in the application's installer on Windows. A local user can place a malicious binary icacls.exe into the current working directory of the installer file end execute arbitrary code with elevated privileges.
Note, the vulnerability affects Windows systems only.
Remediation
Install update from vendor's website.