CVE-2025-52434

Aliases:GHSA-4j3c-42xv-3f84BIT-tomcat-2025-52434
Advisory lineage Upstream: 0 Downstream: 14
Modified
Published: 10 Jul 2025, 19:03
Last modified:04 Nov 2025, 21:11

Vulnerability Summary

Overall Risk (default)
medium
30/100
CVSS Score
7.5 HIGH
v3.1 (cve.org)
EPSS Score
1.21% LOW
1% probability +1.00%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

10 Jul 2025, 19:03
Published
Vulnerability first disclosed
04 Nov 2025, 21:11
Last Modified
Vulnerability information updated

Description

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections. This issue affects Apache Tomcat: from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 9.0.107, which fixes the issue.

CVSS Metrics

  • v4.0HIGHScore: 8.9CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:U
  • v3.1HIGHScore: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 1.21% Percentile: 79%

Techniques & Countermeasures

  • CWE-362Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

    The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

Affected Systems

  • apache software foundationapache tomcat

    ≥ 9.0.0.M1, ≤ 9.0.106 | ≥ 8.5.0, ≤ 8.5.100

  • UnknownTomcat

    ≥ 9.0.0, < 9.0.107

  • org.apache.tomcattomcat-util

    ≥ 9.0.0.M1, < 9.0.107 | ≥ 8.5.0, ≤ 8.5.100

References (6)