Skip to content

CVE-2025-48976: Introduce partHeaderTotalSizeMax for all parts of a single request#425

Closed
Chenjp wants to merge 7 commits intoapache:masterfrom
Chenjp:enhance_part_headers_limits
Closed

CVE-2025-48976: Introduce partHeaderTotalSizeMax for all parts of a single request#425
Chenjp wants to merge 7 commits intoapache:masterfrom
Chenjp:enhance_part_headers_limits

Conversation

@Chenjp
Copy link

@Chenjp Chenjp commented Jul 2, 2025
edited
Loading

Flexible limitation policy. Particularly, "partHeaderTotalSizeMax" provides a direct memory usage limits for all parts headers in request level.

partHeaderTotalSizeMax and partHeaderTotalCoutMax: apply to all header information for all parts in a single upload file request.

See BZ69710#c31

@Chenjp
CVE-2025-48976: Introduce partHeaderTotalCountMax and partHeaderTotal…
2f7e205 
…SizeMax

Flexible limitation policy. Particularly, "partHeaderTotalSizeMax" provides a direct memory usage limits for all parts headers.

See BZ69710#c31
@markt-asf
Copy link
Contributor

markt-asf commented Jul 2, 2025

partHeaderTotalSizeMax looks to be sufficient. No need to limit header count as well.

There are a lot of unrelated changes in this PR. They should be removed.

With the new limit in place the per part header size limit could be relaxed/removed. In 2.0 at least anyway.

Chenjp added 3 commits July 3, 2025 09:06
@Chenjp
Revoke partHeaderTotalCountMax
4173d7b 
per Mark's comment, partHeaderTotalCountMax is sufficient enough.
@Chenjp
unchanged code / unsed
7652925
@Chenjp
Update FileItemHeadersImpl.java
c8d07e1
@Chenjp
Copy link
Author

Chenjp commented Jul 3, 2025

partHeaderTotalSizeMax looks to be sufficient. No need to limit header count as well.

There are a lot of unrelated changes in this PR. They should be removed.

With the new limit in place the per part header size limit could be relaxed/removed. In 2.0 at least anyway.

@markt-asf Unrelated changes removed. Thanks.

@Chenjp Chenjp changed the title CVE-2025-48976: Introduce partHeaderTotalSizeMax and partHeaderTotalCoutMax CVE-2025-48976: Introduce partHeaderTotalSizeMax for all parts of a single request Jul 3, 2025
garydgregory
garydgregory requested changes Jul 3, 2025
View reviewed changes
Copy link
Member

@garydgregory garydgregory left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @Chenjp
Thank you for your update. Please see my comments and add Javadoc since tags for new public and protected elements.

@Chenjp Chenjp requested a review from garydgregory July 4, 2025 00:27
@dmoebius
Copy link

dmoebius commented Jul 9, 2025

I'm confused. GHSA-vv7r-c36w-3prj says that the CVE is fixed in 2.0.0-M4, while this PR is still open. The OWASP scanner still reports 2.0.0-M4 as affected. Who's right?

@markt-asf
Copy link
Contributor

markt-asf commented Jul 9, 2025

This is just an alternative approach.
The CVE announcement from the ASF contains the correct version information.
The OWASP scanner appears to be reporting a false positive.

@Chenjp
Copy link
Author

Chenjp commented Sep 28, 2025

@garydgregory is it necessary to merge into master branch?

@garydgregory
Copy link
Member

garydgregory commented Feb 8, 2026

@markt-asf Since the current code handles CVE-2025-48976, it seems safe to close this PR. Check?

@markt-asf
Copy link
Contributor

markt-asf commented Feb 9, 2026

@garydgregory I'm not seeing this as essential. There is a limit on the number of files/parts and a limit on the header size per file/part. An additional limit on the total header size is just a different way of expressing broadly the same limit. There are subtle functional differences but I haven't seen any user requests for this so why add new features no-one is asking for?

@garydgregory
Copy link
Member

garydgregory commented Feb 9, 2026

Closing in agreement with @markt-asf above.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@garydgregory garydgregory Awaiting requested review from garydgregory

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Chenjp @markt-asf @dmoebius @garydgregory