CVE-2025-53506

Aliases:GHSA-25xr-qj8w-c4vfBIT-tomcat-2025-53506
Advisory lineage Upstream: 0 Downstream: 23
Modified
Published: 10 Jul 2025, 19:14
Last modified:04 Nov 2025, 21:11

Vulnerability Summary

Overall Risk (default)
medium
30/100
CVSS Score
7.5 HIGH
v3.1 (cve.org)
EPSS Score
1.25% LOW
1% probability +1.04%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

10 Jul 2025, 19:14
Published
Vulnerability first disclosed
04 Nov 2025, 21:11
Last Modified
Vulnerability information updated

Description

Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.

CVSS Metrics

  • v3.1HIGHScore: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 1.25% Percentile: 80%

Techniques & Countermeasures

  • CWE-400Uncontrolled Resource Consumption

    The product does not properly control the allocation and maintenance of a limited resource.

Affected Systems

  • apache software foundationapache tomcat

    ≥ 11.0.0-M1, ≤ 11.0.8 | ≥ 10.1.0-M1, ≤ 10.1.42 | ≥ 9.0.0.M1, ≤ 9.0.106 | ≥ 8.5.0, ≤ 8.5.100

  • UnknownTomcat

    ≥ 9.0.0, ≤ 9.0.106 | ≥ 10.1.0, ≤ 10.1.42 | ≥ 11.0.0, ≤ 11.0.8

  • org.apache.tomcattomcat-coyote

    ≥ 11.0.0-M1, < 11.0.9 | ≥ 10.1.0-M1, < 10.1.43 | ≥ 9.0.0.M1, < 9.0.107 | ≥ 8.5.0, ≤ 8.5.100

  • org.apache.tomcat.embedtomcat-embed-core

    ≥ 8.5.0, ≤ 8.5.100 | ≥ 9.0.0.M1, < 9.0.107 | ≥ 10.1.0-M1, < 10.1.43 | ≥ 11.0.0-M1, < 11.0.9

References (8)