| Summary: Xerox DocuShare evaluated DocuShare for Apache Tomcat CVE-2025-48989 and determined that standard DocuShare deployments are not affected because this CVE depends on HTTP/2, and DocuShare does not use HTTP/2 in the shipped configuration. |
Applies To
| DocuShare Release | Guidance |
| DocuShare 7.5 | Not affected under the standard Xerox DocuShare configuration. |
| DocuShare 7.6 | Not affected under the standard Xerox DocuShare configuration. |
| DocuShare 7.7 | Not affected under the standard Xerox DocuShare configuration. |
| DocuShare 8.0 | Not affected under the standard Xerox DocuShare configuration. |
Overview
CVE-2025-48989 is an Apache Tomcat resource-shutdown issue described as part of the made you reset attack class. Apache indicates the issue affects Tomcat 9.0.x through 9.0.107 and is fixed upstream in 9.0.108 or later.
Xerox engineering analysis confirmed that this CVE affects sites using HTTP/2. DocuShare does not use HTTP/2 in its shipped Tomcat configuration, so the vulnerable connection-handling path is not reachable in a standard DocuShare deployment.
This conclusion is based on the shipped DocuShare connector configuration and applies across the supported DocuShare 7.5, 7.6, 7.7, and 8.0 release line.
What the Vulnerability Requires
The documented exploit path depends on Tomcat features that are not part of the standard DocuShare deployment model.
- Tomcat in the affected version range.
- HTTP/2 enabled for the traffic path under review.
- A deployment where the vulnerable connection-handling path can be reached through that HTTP/2 configuration.
DocuShare Assessment
| Assessment Item | Finding |
| Xerox engineering analysis | DocuShare is not affected because this CVE affects sites using HTTP/2. |
| DocuShare shipped configuration | HTTP/2 is not used in the standard Xerox DocuShare configuration. |
| Customer guidance | No action is required for a standard DocuShare deployment. |
| Important: If your organization has introduced custom HTTP/2 handling or connector changes outside the standard Xerox DocuShare configuration, review those customizations with Xerox DocuShare Support because the standard deployment analysis would no longer be the relevant baseline. |
What You Should Do
- No action is required for a standard Xerox DocuShare deployment.
- If your organization has introduced custom HTTP/2 handling outside the standard DocuShare configuration, review that customization with Xerox DocuShare Support.
- If a vulnerability scanner flags only the Tomcat version, use this advisory to ensure the deployment-specific HTTP/2 requirement is evaluated correctly.
- Xerox recommends that customers remain on the latest Xerox-supported DocuShare patch level available for their release as part of normal maintenance.