—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple vulnerabilities in Apache Tomcat 

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: CRITICAL

Software Affected

Apache Tomcat version 9.0.0.M1 to 9.0.106

Overview

Multiple vulnerabilities have been reported in Apache Tomcat, which could be exploited by an attacker to cause a denial-of-service (DoS) condition or disrupt normal processing of HTTP/2 streams on the targeted system.

Target Audience:

All end-user organisations and individuals responsible for maintaining and updating Apache Tomcat.

Risk Assessment:

High risk of service disruption and resource exhaustion.

Impact Assessment:

Potential for Denial of Service (DoS) or service instability in certain configurations.

Description

Apache Tomcat is an open-source web server and servlet container that runs Java-based web applications.

These vulnerabilities exist due to improper handling of HTTP/2 requests when using the APR/Native connector, as well as flaws in multipart file upload processing and HTTP/2 stream validation. An attacker could exploit these vulnerabilities by sending specially crafted requests, potentially leading to resource exhaustion or disrupted stream processing.

Successful exploitation could allow an attacker to exhaust system resources or impair service availability.

Solution

Upgrade to Apache Tomcat 9.0.107 or later

Vendor Information

Apache Tomcat

https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.107

References

Apache Tomcat

https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.107

CVE Name

CVE-2025-52434

CVE-2025-52520

CVE-2025-53506

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmh3sokACgkQ3jCgcSdc

ys9v2A//alA3BEEWTLp3kQBhrJdLa/zGpDxgbUClqf50Wx3zUzAo/JJzon6+Znbc

fAzV+hGLdqGxO/zWwrTA8KxE4pEGzf3EhFhGK9OuGXFqF8YBret1vyb/bpQ87ZZ4

5hogCu49Z+k/Ocs/s6j1y6x44bGqLDkF0rGbb6N4HRJjb1jQjZ5zdwVxjJAYgaCx

QJ5TlcjrgSk7xN54GDhDptgDMwHKW9XNzsbmOUaYmTs+akG+w/2dGBXokQNGQXBi

rxTD2TU09fcOhtpzAQqxCYVmXSwPU7jHLjMhmvtowTtL9YZHFshXGoIkGuV1KDTS

aLb+yV+hUAlYv8l70jO46e6bi6P7mURPmCMk8emNNYBR2d48mIU8ygybiJrTlMhZ

yhanKNAKSHNmEh/wjpeqxaFzVEq9qQOBrOo6q07HQZxMImTxbhAyTBHmM1yc6F9T

V94Uh1WR9rDJQBUxBJrVVirxSh/6NbFwadaUitiy9m7JkgcD4CSakumpShPrADAK

BXKUQyurWAwwNKqyQP0m+MuOiF0+TQaILknNWhZeM429WNFZXMpRkkcaKx14qm6Z

yr+Eus8gfHWjgd0BkPkLPx41DHnRxE+qFNWzkmy0QiDNBqo/8DETTSfsOIP8YwQD

4wLqmzQ/H05ueK1ChSy43c+2myEPURwKy9C1uKNLapl/r9F21vc=

=/cba

—–END PGP SIGNATURE—–