Skip to main content

Tomcat CVE-2025-52434

| EUVDEUVD-2025-21045 HIGH
Race Condition (CWE-362)
2025-07-10 security@apache.org GHSA-4j3c-42xv-3f84
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM
qualitative
SUSE
HIGH
qualitative
Red Hat
5.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 16, 2026 - 06:52 euvd
EUVD-2025-21045
Analysis Generated
Mar 16, 2026 - 06:52 vuln.today
CVE Published
Jul 10, 2025 - 19:15 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 3 maven packages depend on org.apache.tomcat.embed:tomcat-embed-core (3 direct, 0 indirect)
  • 5 maven packages depend on org.apache.tomcat:tomcat-coyote (3 direct, 2 indirect)
  • 10 maven packages depend on org.apache.tomcat:tomcat-util (8 direct, 2 indirect)

Ecosystem-wide dependent count for version 9.0.0.M1 and other introduced versions.

DescriptionCVE.org

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections.

This issue affects Apache Tomcat: from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected.

Users are recommended to upgrade to version 9.0.107, which fixes the issue.

AnalysisAI

Apache Tomcat contains a race condition vulnerability in the APR/Native connector that can be triggered during concurrent HTTP/2 connection handling, particularly when clients initiate connection closes. The vulnerability affects Tomcat 9.0.0.M1 through 9.0.106 (and EOL versions 8.5.0-8.5.100), allowing remote unauthenticated attackers to cause denial of service through improper synchronization of shared resources. With a CVSS score of 7.5 and network-accessible attack vector requiring no authentication, this represents a high-severity availability impact, though no active public exploitation has been confirmed.

Technical ContextAI

The vulnerability exists in Apache Tomcat's APR/Native connector (libapr), which handles low-level network I/O operations. The race condition (CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization) occurs in the HTTP/2 protocol handler when multiple threads concurrently access shared connection state during client-initiated connection closure. HTTP/2's multiplexed streams and connection management increase the likelihood of race conditions if proper locking mechanisms are absent or insufficient. The APR connector directly interfaces with operating system network APIs (via libapr-1), making synchronization critical to prevent inconsistent state access. Affected CPE: cpe:2.3:a:apache:tomcat:9.0.0:m1:*:*:*:*:*:* through cpe:2.3:a:apache:tomcat:9.0.106:*:*:*:*:*:*:* and cpe:2.3:a:apache:tomcat:8.5.0:*:*:*:*:*:*:* through cpe:2.3:a:apache:tomcat:8.5.100:*:*:*:*:*:*:*

RemediationAI

Primary: Upgrade: Upgrade to Apache Tomcat 9.0.107 or later; details: Tomcat 9.0.107 includes fixes for the APR/Native connector race condition in HTTP/2 connection handling. Verify APR/Native connector is in use (check server.xml for Connector protocol='org.apache.coyote.http11.Http11AprProtocol' or HTTP/2 variant). Full release notes available at https://tomcat.apache.org/tomcat-9.0-doc/changelog.html Secondary: Workaround (if upgrade delayed): Disable APR/Native connector or revert to NIO/BIO connectors; details: Edit CATALINA_HOME/conf/server.xml and change Connector protocol from 'org.apache.coyote.http11.Http11AprProtocol' to 'org.apache.coyote.http11.Http11NioProtocol'. This avoids the vulnerable APR/Native code path but may impact performance. Restart Tomcat after modification. Tertiary: Mitigation: Implement connection pooling limits and monitoring; details: Restrict maxConnections and maxThreads in Connector configuration to reduce concurrent connection scenarios that could trigger race condition. Monitor for unexpected connection closures or server restarts in logs.

More in Tomcat

View all
CVE-2017-12617 HIGH POC
8.1 Oct 04

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTT

CVE-2016-8735 CRITICAL POC
9.8 Apr 06

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8

CVE-2017-12615 HIGH POC
8.1 Sep 19

When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. Rated high severity (CVSS 8.1), this

CVE-2014-0050 HIGH POC
7.5 Apr 01

MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products,

CVE-2017-12616 HIGH
7.5 Sep 19

When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80 it was possible to bypass security constraints and/or

CVE-2014-0227 MEDIUM
6.4 Feb 16

java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat 6.x before 6.0.42, 7.x before 7.0.55, and

CVE-2013-5528 MEDIUM POC
4.0 Oct 11

Directory traversal vulnerability in the Tomcat administrative web interface in Cisco Unified Communications Manager all

CVE-2016-6808 CRITICAL POC
9.8 Apr 12

Buffer overflow in Apache Tomcat Connectors (mod_jk) before 1.2.42. Rated critical severity (CVSS 9.8), this vulnerabili

CVE-2016-1240 HIGH POC
7.8 Oct 03

The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and tomcat8 package before 8.0.14-1+deb8u3 on Debia

CVE-2016-5425 HIGH POC
7.8 Oct 13

The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distribu

CVE-2022-22965 CRITICAL POC
9.8 Apr 01

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data b

CVE-2025-31650 HIGH POC
7.5 Apr 28

Improper Input Validation vulnerability in Apache Tomcat. Rated high severity (CVSS 7.5), this vulnerability is remotely

Vendor StatusVendor

Ubuntu

Priority: Medium
tomcat9
Release Status Version
noble not-affected 9.0.70-2ubuntu0.1
plucky not-affected -
upstream released 9.0.70-2
bionic needed -
focal needed -
jammy needed -
questing not-affected -

Debian

tomcat9
Release Status Fixed Version Urgency
bullseye fixed 9.0.107-0+deb11u1 -
bullseye (security) fixed 9.0.107-0+deb11u2 -
bookworm fixed 9.0.70-2 -
trixie fixed 9.0.95-1 -
forky, sid fixed 9.0.115-1 -
(unstable) fixed 9.0.70-2 -

SUSE

Severity: High
Product Status
Container suse/manager/5.0/x86_64/server:5.0.5.1.7.33.2 Container suse/multi-linux-manager/5.1/x86_64/server:5.1.1.8.7.1 Image SLES15-SP4-Manager-Server-4-3-BYOS Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2 Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE Affected
SUSE Enterprise Storage 7.1 Fixed
SUSE Liberty Linux 8 Fixed
SUSE Liberty Linux 9 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS Fixed

Share

CVE-2025-52434 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy