How to fix EUVD-2025-21045?

Within 24 hours: Identify all Tomcat instances in production and development using APR/Native connector and document current versions. Within 7 days: Test Tomcat 9.0.107 upgrade in non-production environment and develop rollback procedures. Within 30 days: Execute production upgrades during scheduled maintenance windows, prioritizing customer-facing and critical systems first.

Is Race Condition affected by EUVD-2025-21045?

Apache Tomcat instances using the APR/Native connector are vulnerable to a race condition that could allow attackers to cause service disruption or potential data corruption during HTTP/2 client disconnections.

EUVD-2025-21045

| CVE-2025-52434 HIGH

2025-07-10 [email protected]

GHSA-4j3c-42xv-3f84

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 16, 2026 - 06:52 euvd

EUVD-2025-21045

Analysis Generated

Mar 16, 2026 - 06:52 vuln.today

CVE Published

Jul 10, 2025 - 19:15 nvd

HIGH 7.5

Description

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections. This issue affects Apache Tomcat: from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 9.0.107, which fixes the issue.

Analysis

Apache Tomcat contains a race condition vulnerability in the APR/Native connector that can be triggered during concurrent HTTP/2 connection handling, particularly when clients initiate connection closes. The vulnerability affects Tomcat 9.0.0.M1 through 9.0.106 (and EOL versions 8.5.0-8.5.100), allowing remote unauthenticated attackers to cause denial of service through improper synchronization of shared resources. With a CVSS score of 7.5 and network-accessible attack vector requiring no authentication, this represents a high-severity availability impact, though no active public exploitation has been confirmed.

Technical Context

The vulnerability exists in Apache Tomcat's APR/Native connector (libapr), which handles low-level network I/O operations. The race condition (CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization) occurs in the HTTP/2 protocol handler when multiple threads concurrently access shared connection state during client-initiated connection closure. HTTP/2's multiplexed streams and connection management increase the likelihood of race conditions if proper locking mechanisms are absent or insufficient. The APR connector directly interfaces with operating system network APIs (via libapr-1), making synchronization critical to prevent inconsistent state access. Affected CPE: cpe:2.3:a:apache:tomcat:9.0.0:m1:*:*:*:*:*:* through cpe:2.3:a:apache:tomcat:9.0.106:*:*:*:*:*:*:* and cpe:2.3:a:apache:tomcat:8.5.0:*:*:*:*:*:*:* through cpe:2.3:a:apache:tomcat:8.5.100:*:*:*:*:*:*:*

Affected Products

- product: Apache Tomcat; affected_versions: 9.0.0.M1 through 9.0.106; fixed_version: 9.0.107; status: Actively maintained - product: Apache Tomcat; affected_versions: 8.5.0 through 8.5.100; fixed_version: None (EOL); status: End-of-life; users should upgrade to 9.0.107+

Remediation

Primary: Upgrade: Upgrade to Apache Tomcat 9.0.107 or later; details: Tomcat 9.0.107 includes fixes for the APR/Native connector race condition in HTTP/2 connection handling. Verify APR/Native connector is in use (check server.xml for Connector protocol='org.apache.coyote.http11.Http11AprProtocol' or HTTP/2 variant). Full release notes available at https://tomcat.apache.org/tomcat-9.0-doc/changelog.html Secondary: Workaround (if upgrade delayed): Disable APR/Native connector or revert to NIO/BIO connectors; details: Edit CATALINA_HOME/conf/server.xml and change Connector protocol from 'org.apache.coyote.http11.Http11AprProtocol' to 'org.apache.coyote.http11.Http11NioProtocol'. This avoids the vulnerable APR/Native code path but may impact performance. Restart Tomcat after modification. Tertiary: Mitigation: Implement connection pooling limits and monitoring; details: Restrict maxConnections and maxThreads in Connector configuration to reduce concurrent connection scenarios that could trigger race condition. Monitor for unexpected connection closures or server restarts in logs.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.3

CVSS: +38

POC: 0

Vendor Status

Ubuntu

Priority: Medium

tomcat9

Release	Status	Version
noble	not-affected	9.0.70-2ubuntu0.1
plucky	not-affected	-
upstream	released	9.0.70-2
bionic	needed	-
focal	needed	-
jammy	needed	-
questing	not-affected	-

Debian

tomcat9

Release	Status	Fixed Version	Urgency
bullseye	fixed	9.0.107-0+deb11u1	-
bullseye (security)	fixed	9.0.107-0+deb11u2	-
bookworm	fixed	9.0.70-2	-
trixie	fixed	9.0.95-1	-
forky, sid	fixed	9.0.115-1	-
(unstable)	fixed	9.0.70-2	-

DLA-4244-1

EUVD-2025-21045 vulnerability details – vuln.today

Back

EUVD-2025-21045

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

External POC / Exploit Code