commons-fileupload icon indicating copy to clipboard operation
commons-fileupload copied to clipboard
verified publisher icon apache

CVE-2025-48976: Introduce partHeaderTotalSizeMax for all parts of a single request

Open Chenjp opened this issue 8 months ago • 5 comments

Flexible limitation policy. Particularly, "partHeaderTotalSizeMax" provides a direct memory usage limits for all parts headers in request level.

partHeaderTotalSizeMax ~~and partHeaderTotalCoutMax~~: apply to all header information for all parts in a single upload file request.

See BZ69710#c31

Chenjp avatar Jul 02 '25 08:07 Chenjp

partHeaderTotalSizeMax looks to be sufficient. No need to limit header count as well.

There are a lot of unrelated changes in this PR. They should be removed.

With the new limit in place the per part header size limit could be relaxed/removed. In 2.0 at least anyway.

markt-asf avatar Jul 02 '25 09:07 markt-asf

partHeaderTotalSizeMax looks to be sufficient. No need to limit header count as well.

There are a lot of unrelated changes in this PR. They should be removed.

With the new limit in place the per part header size limit could be relaxed/removed. In 2.0 at least anyway.

@markt-asf Unrelated changes removed. Thanks.

Chenjp avatar Jul 03 '25 01:07 Chenjp

I'm confused. https://github.com/advisories/GHSA-vv7r-c36w-3prj says that the CVE is fixed in 2.0.0-M4, while this PR is still open. The OWASP scanner still reports 2.0.0-M4 as affected. Who's right?

dmoebius avatar Jul 09 '25 14:07 dmoebius

This is just an alternative approach. The CVE announcement from the ASF contains the correct version information. The OWASP scanner appears to be reporting a false positive.

markt-asf avatar Jul 09 '25 14:07 markt-asf

@garydgregory is it necessary to merge into master branch?

Chenjp avatar Sep 28 '25 08:09 Chenjp