Skip to main content

Java CVE-2025-52434

| EUVD-2025-21045 HIGH
Race Condition (CWE-362)
2025-07-10 security@apache.org GHSA-4j3c-42xv-3f84
Denial Of Service Apache Java Race Condition Red Hat Tomcat Suse
7.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 16, 2026 - 06:52 euvd
EUVD-2025-21045
Analysis Generated
Mar 16, 2026 - 06:52 vuln.today
CVE Published
Jul 10, 2025 - 19:15 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 10 maven packages depend on org.apache.tomcat:tomcat-util (8 direct, 2 indirect)

Ecosystem-wide dependent count for version 9.0.0.M1.

DescriptionNVD

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections.

This issue affects Apache Tomcat: from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected.

Users are recommended to upgrade to version 9.0.107, which fixes the issue.

AnalysisAI

Apache Tomcat contains a race condition vulnerability in the APR/Native connector that can be triggered during concurrent HTTP/2 connection handling, particularly when clients initiate connection closes. The vulnerability affects Tomcat 9.0.0.M1 through 9.0.106 (and EOL versions 8.5.0-8.5.100), allowing remote unauthenticated attackers to cause denial of service through improper synchronization of shared resources. With a CVSS score of 7.5 and network-accessible attack vector requiring no authentication, this represents a high-severity availability impact, though no active public exploitation has been confirmed.

Technical ContextAI

The vulnerability exists in Apache Tomcat's APR/Native connector (libapr), which handles low-level network I/O operations. The race condition (CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization) occurs in the HTTP/2 protocol handler when multiple threads concurrently access shared connection state during client-initiated connection closure. HTTP/2's multiplexed streams and connection management increase the likelihood of race conditions if proper locking mechanisms are absent or insufficient. The APR connector directly interfaces with operating system network APIs (via libapr-1), making synchronization critical to prevent inconsistent state access. Affected CPE: cpe:2.3:a:apache:tomcat:9.0.0:m1:*:*:*:*:*:* through cpe:2.3:a:apache:tomcat:9.0.106:*:*:*:*:*:*:* and cpe:2.3:a:apache:tomcat:8.5.0:*:*:*:*:*:*:* through cpe:2.3:a:apache:tomcat:8.5.100:*:*:*:*:*:*:*

RemediationAI

Primary: Upgrade: Upgrade to Apache Tomcat 9.0.107 or later; details: Tomcat 9.0.107 includes fixes for the APR/Native connector race condition in HTTP/2 connection handling. Verify APR/Native connector is in use (check server.xml for Connector protocol='org.apache.coyote.http11.Http11AprProtocol' or HTTP/2 variant). Full release notes available at https://tomcat.apache.org/tomcat-9.0-doc/changelog.html Secondary: Workaround (if upgrade delayed): Disable APR/Native connector or revert to NIO/BIO connectors; details: Edit CATALINA_HOME/conf/server.xml and change Connector protocol from 'org.apache.coyote.http11.Http11AprProtocol' to 'org.apache.coyote.http11.Http11NioProtocol'. This avoids the vulnerable APR/Native code path but may impact performance. Restart Tomcat after modification. Tertiary: Mitigation: Implement connection pooling limits and monitoring; details: Restrict maxConnections and maxThreads in Connector configuration to reduce concurrent connection scenarios that could trigger race condition. Monitor for unexpected connection closures or server restarts in logs.

More from same product – last 7 days

CVE-2025-48977 HIGH
8.5 May 28

Path traversal in Apache Ignite 2.0.0 through 2.17.0 lets authenticated REST API users read arbitrary files on the serve
CVE-2026-9277 HIGH
8.1 May 22

Command injection in the shell-quote npm package allows attackers who can influence object-token inputs to inject arbitr
CVE-2026-9256 HIGH
8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers
CVE-2026-42782 HIGH
7.2 May 25

Code execution via Groovy sandbox bypass in Apache Syncope 3.0 through 3.0.16, 4.0 through 4.0.5, and 4.1.0 allows a hig
CVE-2026-43827 MEDIUM
5.9 May 25

Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0

Vendor StatusVendor

Ubuntu

Priority: Medium
tomcat9
Release Status Version
noble not-affected 9.0.70-2ubuntu0.1
plucky not-affected -
upstream released 9.0.70-2
bionic needed -
focal needed -
jammy needed -
questing not-affected -

Debian

tomcat9
Release Status Fixed Version Urgency
bullseye fixed 9.0.107-0+deb11u1 -
bullseye (security) fixed 9.0.107-0+deb11u2 -
bookworm fixed 9.0.70-2 -
trixie fixed 9.0.95-1 -
forky, sid fixed 9.0.115-1 -
(unstable) fixed 9.0.70-2 -
DLA-4244-1

Share

CVE-2025-52434 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy