Apache Tomcat Utilities is vulnerable to resource exhaustion when using the APR/Native connector

Concurrent Execution using Shared Resource with Improper Synchronization 'Race Condition' vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections. This issue affects Apache Tomcat: from 9.0.0.M1 throug...

CVE-2025-53506

Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1...

CVE-2025-53506

Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1...

CVE-2025-52434

Concurrent Execution using Shared Resource with Improper Synchronization 'Race Condition' vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections. This issue affects Apache Tomcat: from 9.0.0.M1 throug...

CVE-2025-52434

Concurrent Execution using Shared Resource with Improper Synchronization 'Race Condition' vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections. This issue affects Apache Tomcat: from 9.0.0.M1 throug...

CVE-2025-53506 Apache Tomcat: DoS via excessive h2 streams at connection start

Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1...

CVE-2025-53506 Apache Tomcat: DoS via excessive h2 streams at connection start

Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1...

CVE-2025-53506

CVE-2025-53506 is an Uncontrolled Resource Consumption vulnerability in Apache Tomcat's HTTP/2 handling: if an HTTP/2 client does not acknowledge the initial settings frame, Tomcat may reduce the maximum permitted concurrent streams, enabling a DoS-like condition. Affected versions span Tomcat 11...

CVE-2025-52434 Apache Tomcat: APR/Native Connector crash leading to DoS

Concurrent Execution using Shared Resource with Improper Synchronization 'Race Condition' vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections. This issue affects Apache Tomcat: from 9.0.0.M1 throug...

CVE-2025-52434

CVE-2025-52434 is a race-condition DoS in Apache Tomcat when using the APR/Native connector, observed in Tomcat 9.0.0.M1 through 9.0.106 (including older EOL lines) and potentially affecting selected Tomcat 8.x/11.x/10.x configurations via related advisories. The National Vulnerability Database d...

CVE-2025-52434 Apache Tomcat: APR/Native Connector crash leading to DoS

Concurrent Execution using Shared Resource with Improper Synchronization 'Race Condition' vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections. This issue affects Apache Tomcat: from 9.0.0.M1 throug...

CVE-2025-49630

In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in modproxyhttp2. Configurations affected are a reverse proxy is configured for an HTTP/2 backend, with...

Apache Tomcat 10.1.0.M1 < 10.1.43 multiple vulnerabilities

The version of Tomcat installed on the remote host is prior to 10.1.43. It is, therefore, affected by multiple vulnerabilities as referenced in the fixedinapachetomcat10.1.43security-10 advisory. - The vulnerability exists due to overflow in file upload limit. A remote attacker can send specially...

Apache Tomcat 9.0.0.M1 < 9.0.107 multiple vulnerabilities

The version of Tomcat installed on the remote host is prior to 9.0.107. It is, therefore, affected by multiple vulnerabilities as referenced in the fixedinapachetomcat9.0.107security-9 advisory. - The vulnerability exists due to overflow in file upload limit. A remote attacker can send specially...

PT-2025-29086 · Open Information Security Foundation +1 · Suricata +1

Name of the Vulnerable Software and Affected Versions: Suricata versions 7.0.10 and below Suricata versions 8.0.0-beta1 through 8.0.0-rc1 Description: Suricata, a network IDS, IPS, and NSM engine, is affected by an issue where mishandling of data on HTTP2 stream 0 can lead to uncontrolled memory...

curl: Integer Overflow Risk in HTTP/2 Proxy Window Size Calculations

Summary: The HTTP/2 proxy implementation in curl contains potential integer overflow vulnerabilities in buffer size calculations that could lead to memory corruption or denial of service. AI Usage Statement: This report was prepared by a human security researcher after manual code review. No AI w...

Fixed in Apache Tomcat 11.0.9

Low: DoS due to overflow in file upload limit CVE-2025-52520 For some unlikely configurations of multipart upload, an Integer Overflow vulnerability could lead to a DoS via bypassing of size limits. This was fixed with commit a51e4bed. This issue was reported to the Tomcat security team on 7 June...

Fixed in Apache Tomcat 9.0.107

Important: APR/Native Connector crash leading to DoS CVE-2025-52434 A race condition on connection close could trigger a JVM crash when using the APR/Native connector leading to a DoS. This was particularly noticeable with client initiated closes of HTTP/2 connections. This was fixed with commit...

Fixed in Apache Tomcat 10.1.43

Low: DoS due to overflow in file upload limit CVE-2025-52520 For some unlikely configurations of multipart upload, an Integer Overflow vulnerability could lead to a DoS via bypassing of size limits. This was fixed with commit fc42bbcc. This issue was reported to the Tomcat security team on 7 June...

K000152389: golang: net/http, x/net/http2 vulnerability CVE-2023-39325

Security Advisory Description A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allo...