IBM WebSphere Liberty HTTP/2 DoS Vulnerability (CVE-2025-36047) Advisory

Key Information Vulnerability Overview CVE ID: CVE-2025-36047 Description: IBM WebSphere Application Server Liberty is vulnerable to a Denial of Service (DoS) attack when the HTTP/2 protocol is enabled with servlet-3.1, servlet-4.0, servlet-5.0, or servlet-6.0 features. A remote attacker can exploit this vulnerability by sending specially crafted requests, causing the server to consume excessive memory resources. Vulnerability Details CWE: CWE-770: Allocation of Resources Without Limits or Throttling CVSS Score: 5.3 CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) Affected Products and Versions Affected Product: IBM WebSphere Application Server Liberty Versions: 18.0.0.2 - 25.0.0.8 Remediation Recommendation: IBM strongly recommends immediately applying the currently available interim fix or a fix pack that includes the correction for APAR PH66953. Upgrade Steps: - Upgrade to the required minimum fix pack level and apply the interim fix for PH66953. - Alternatively, apply Liberty Fix Pack 25.0.0.9 or later (expected to be released in the third quarter of 2025). Additional Information Workarounds and Mitigations: None Notification: Subscribe to My Notifications to receive alerts for future security advisories. References: - Complete CVSS v3 Guide - Online Calculator v3 Related Links: - IBM Secure Engineering Web Portal - IBM Product Security Incident Response Blog

Goal Reached Thanks to every supporter — we hit 100%!

IBM WebSphere Liberty HTTP/2 DoS Vulnerability (CVE-2025-36047) Advisory