Apache Tomcat Coyote HTTP Server May Allow Remote Code Execution

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

Apache Tomcat Coyote HTTP Server May Allow Remote Code Execution

ROOT-APP-MAVEN-CVE-2025-48989

Summary

A security patch has been released for the Apache Tomcat Coyote HTTP server. This patch fixes a vulnerability that could allow an attacker to execute malicious code on your server. If you use this server, you should update to a patched version to prevent potential security risks.

What to do

Update io.root.org.apache.tomcat:tomcat-coyote to version 10.1.39-root.io.6.
Update io.root.org.apache.tomcat:tomcat-coyote to version 10.1.39-root.io.8.
Update io.root.org.apache.tomcat:tomcat-coyote to version 10.1.39-root.io.9.
Update io.root.org.apache.tomcat:tomcat-coyote to version 10.1.39-root.io.10.

Affected software

Ecosystem	Vendor	Product	Affected versions
Root:Maven	–	io.root.org.apache.tomcat:tomcat-coyote	< 10.1.39-root.io.6 < 10.1.39-root.io.8 < 10.1.39-root.io.9 < 10.1.39-root.io.10 Fix: upgrade to 10.1.39-root.io.6

Original title

CVE-2025-48989 in io.root.org.apache.tomcat:tomcat-coyote - Patched by Root

Original description

Root has patched CVE-2025-48989 in the io.root.org.apache.tomcat:tomcat-coyote package for Root:Maven. Multiple fixed versions available.

Published: 17 Apr 2026 · Updated: 17 Apr 2026 · First seen: 14 Apr 2026