Just throwing this out there in case anyone else is ever searching for CVE-2025-48989 and Commvault as keywords. I contacted Commvault Support to confirm that the instance of Tomcat in Commvault is not affected. Here is the response.
The development has provided the following information:
- Regarding CVE-2025-48989: Commvault does not enable HTTP/2 on our Tomcat instance, so this is not applicable which means that commvault servers are not affected with this vulnerability.
