Skip to content

CVE-2025-48976: Introduce partHeaderTotalSizeMax for all parts of a single request #425

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

CVE-2025-48976: Introduce partHeaderTotalSizeMax for all parts of a single request #425

wants to merge 5 commits into from
+113 −0

Conversation

Chenjp
Copy link

@Chenjp Chenjp commented Jul 2, 2025
edited
Loading

Flexible limitation policy. Particularly, "partHeaderTotalSizeMax" provides a direct memory usage limits for all parts headers in request level.

partHeaderTotalSizeMax and partHeaderTotalCoutMax: apply to all header information for all parts in a single upload file request.

See BZ69710#c31

@Chenjp
CVE-2025-48976: Introduce partHeaderTotalCountMax and partHeaderTotal…
2f7e205 
…SizeMax

Flexible limitation policy. Particularly, "partHeaderTotalSizeMax" provides a direct memory usage limits for all parts headers.

See BZ69710#c31
@markt-asf
Copy link
Contributor

partHeaderTotalSizeMax looks to be sufficient. No need to limit header count as well.

There are a lot of unrelated changes in this PR. They should be removed.

With the new limit in place the per part header size limit could be relaxed/removed. In 2.0 at least anyway.

Chenjp added 3 commits July 3, 2025 09:06
@Chenjp
Revoke partHeaderTotalCountMax
4173d7b 
per Mark's comment, partHeaderTotalCountMax is sufficient enough.
@Chenjp
unchanged code / unsed
7652925
@Chenjp
Update FileItemHeadersImpl.java
c8d07e1
@Chenjp
Copy link
Author

Chenjp commented Jul 3, 2025

partHeaderTotalSizeMax looks to be sufficient. No need to limit header count as well.

There are a lot of unrelated changes in this PR. They should be removed.

With the new limit in place the per part header size limit could be relaxed/removed. In 2.0 at least anyway.

@markt-asf Unrelated changes removed. Thanks.

@Chenjp Chenjp changed the title CVE-2025-48976: Introduce partHeaderTotalSizeMax and partHeaderTotalCoutMax CVE-2025-48976: Introduce partHeaderTotalSizeMax for all parts of a single request Jul 3, 2025
garydgregory
garydgregory requested changes Jul 3, 2025
View reviewed changes
Copy link
Member

@garydgregory garydgregory left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @Chenjp
Thank you for your update. Please see my comments and add Javadoc since tags for new public and protected elements.

@Chenjp Chenjp requested a review from garydgregory July 4, 2025 00:27
@dmoebius
Copy link

dmoebius commented Jul 9, 2025

I'm confused. GHSA-vv7r-c36w-3prj says that the CVE is fixed in 2.0.0-M4, while this PR is still open. The OWASP scanner still reports 2.0.0-M4 as affected. Who's right?

@markt-asf
Copy link
Contributor

This is just an alternative approach.
The CVE announcement from the ASF contains the correct version information.
The OWASP scanner appears to be reporting a false positive.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@garydgregory garydgregory Awaiting requested review from garydgregory

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Chenjp @markt-asf @dmoebius @garydgregory