Last Week in AppSec for 11. November 2025

Checkmarx weekly notes two disclosed vulnerabilities: Apache Tomcat (CVE-2025-61795) has a moderate (CVSS 5.3) denial-of-service risk from delayed cleanup of multipart upload temporary files allowing disk exhaustion or cloud billing abuse; affected Tomcat ranges and a version-check command are provided. Vercel’s AI SDK (CVE-2025-48985, CVSS 3.7) contains an index error that can bypass an allowlist for downloaded file types, enabling potential poisoning of AI context; update to version 5.0.52 or newer is recommended.