Tomcat — контейнер сервлетов с открытым исходным кодом
Релизный цикл, информация об уязвимостях
График релизов
Количество 1 262
CVE-2025-53506
Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.
CVE-2025-52520
For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size limits. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.
CVE-2025-52434
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections. This issue affects Apache Tomcat: from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 9.0.107, which fixes the issue.
BDU:2025-08954
Уязвимость сервера приложений Apache Tomcat, связанная с ошибками синхронизации при использовании общего ресурса («Ситуация гонки»), позволяющая нарушителю вызвать отказ в обслуживании
BDU:2025-08953
Уязвимость сервера приложений Apache Tomcat, связанная с целочисленным переполнением, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2025-08952
Уязвимость сервера приложений Apache Tomcat, связанная с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании
GHSA-wc4r-xq3c-5cf3
Apache Tomcat - Security constraint bypass for pre/post-resources
GHSA-h3gc-qfqq-6h8f
Apache Tomcat - DoS in multipart upload
GHSA-42wg-hm62-jcwg
Apache Tomcat installer for Windows has an untrusted search path vulnerability
CVE-2025-49125
Authentication Bypass Using an Alternate Path or Channel vulnerability ...
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано 1 | |
|---|---|---|---|---|
 | CVE-2025-53506 Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue. | CVSS3: 5.3 | 0% Низкий | 5 месяцев назад |
| CVE-2025-52520 For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size limits. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue. | CVSS3: 3.7 | 0% Низкий | 5 месяцев назад |
| CVE-2025-52434 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections. This issue affects Apache Tomcat: from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 9.0.107, which fixes the issue. | CVSS3: 5.3 | 0% Низкий | 5 месяцев назад |
 | BDU:2025-08954 Уязвимость сервера приложений Apache Tomcat, связанная с ошибками синхронизации при использовании общего ресурса («Ситуация гонки»), позволяющая нарушителю вызвать отказ в обслуживании | CVSS3: 5.6 | 0% Низкий | 5 месяцев назад |
| BDU:2025-08953 Уязвимость сервера приложений Apache Tomcat, связанная с целочисленным переполнением, позволяющая нарушителю вызвать отказ в обслуживании | CVSS3: 5.6 | 0% Низкий | 5 месяцев назад |
| BDU:2025-08952 Уязвимость сервера приложений Apache Tomcat, связанная с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании | CVSS3: 5.6 | 0% Низкий | 5 месяцев назад |
| GHSA-wc4r-xq3c-5cf3 Apache Tomcat - Security constraint bypass for pre/post-resources | 0% Низкий | 6 месяцев назад | |
| GHSA-h3gc-qfqq-6h8f Apache Tomcat - DoS in multipart upload | CVSS3: 7.5 | 0% Низкий | 6 месяцев назад |
| GHSA-42wg-hm62-jcwg Apache Tomcat installer for Windows has an untrusted search path vulnerability | 0% Низкий | 6 месяцев назад | |
| CVE-2025-49125 Authentication Bypass Using an Alternate Path or Channel vulnerability ... | CVSS3: 7.5 | 0% Низкий | 6 месяцев назад |
Уязвимостей на страницу