GHSA-25xr-qj8w-c4vf
Suggest an improvement- Source
- https://github.com/advisories/GHSA-25xr-qj8w-c4vf
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-25xr-qj8w-c4vf/GHSA-25xr-qj8w-c4vf.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-25xr-qj8w-c4vf
- Aliases
- Published
- 2025-07-10T21:31:53Z
- Modified
- 2025-07-11T23:32:47.576309Z
- Downstream
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:U CVSS Calculator
- Summary
- Apache Tomcat Coyote vulnerable to Denial of Service via excessive HTTP/2 streams
- Details
-
Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106.
Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.
- Database specific
{ "nvd_published_at": "2025-07-10T20:15:26Z", "github_reviewed_at": "2025-07-11T13:50:26Z", "github_reviewed": true, "cwe_ids": [ "CWE-400" ], "severity": "MODERATE" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2025-53506
- https://github.com/apache/tomcat/commit/2aa6261276ebe50b99276953591e3a2be7898bdb
- https://github.com/apache/tomcat/commit/434772930f362145516dd60681134e7f0cf8115b
- https://github.com/apache/tomcat/commit/be8f330f83ceddaf3baeed57522e571572b6b99b
- https://github.com/apache/tomcat
- https://lists.apache.org/thread/p09775q0rd185m6zz98krg0fp45j8kr0
Affected packages
Maven / org.apache.tomcat:tomcat-coyote
Package
- Name
- org.apache.tomcat:tomcat-coyote
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.tomcat/tomcat-coyote
Affected versions
11.*
11.0.0-M1
11.0.0-M3
11.0.0-M4
11.0.0-M5
11.0.0-M6
11.0.0-M7
11.0.0-M9
11.0.0-M10
11.0.0-M11
11.0.0-M12
11.0.0-M13
11.0.0-M14
11.0.0-M15
11.0.0-M16
11.0.0-M17
11.0.0-M18
11.0.0-M19
11.0.0-M20
11.0.0-M21
11.0.0-M22
11.0.0-M24
11.0.0-M25
11.0.0-M26
11.0.0
11.0.1
11.0.2
11.0.3
11.0.4
11.0.5
11.0.6
11.0.7
11.0.8
Maven / org.apache.tomcat:tomcat-coyote
Package
- Name
- org.apache.tomcat:tomcat-coyote
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.tomcat/tomcat-coyote
Affected versions
10.*
10.1.0-M1
10.1.0-M2
10.1.0-M4
10.1.0-M5
10.1.0-M6
10.1.0-M7
10.1.0-M8
10.1.0-M10
10.1.0-M11
10.1.0-M12
10.1.0-M14
10.1.0-M15
10.1.0-M16
10.1.0-M17
10.1.0
10.1.1
10.1.2
10.1.4
10.1.5
10.1.6
10.1.7
10.1.8
10.1.9
10.1.10
10.1.11
10.1.12
10.1.13
10.1.14
10.1.15
10.1.16
10.1.17
10.1.18
10.1.19
10.1.20
10.1.23
10.1.24
10.1.25
10.1.26
10.1.28
10.1.29
10.1.30
10.1.31
10.1.33
10.1.34
10.1.35
10.1.36
10.1.39
10.1.40
10.1.41
10.1.42
Maven / org.apache.tomcat:tomcat-coyote
Package
- Name
- org.apache.tomcat:tomcat-coyote
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.tomcat/tomcat-coyote
Affected versions
9.*
9.0.0.M1
9.0.0.M3
9.0.0.M4
9.0.0.M6
9.0.0.M8
9.0.0.M9
9.0.0.M10
9.0.0.M11
9.0.0.M13
9.0.0.M15
9.0.0.M17
9.0.0.M18
9.0.0.M19
9.0.0.M20
9.0.0.M21
9.0.0.M22
9.0.0.M25
9.0.0.M26
9.0.0.M27
9.0.1
9.0.2
9.0.4
9.0.5
9.0.6
9.0.7
9.0.8
9.0.10
9.0.11
9.0.12
9.0.13
9.0.14
9.0.16
9.0.17
9.0.19
9.0.20
9.0.21
9.0.22
9.0.24
9.0.26
9.0.27
9.0.29
9.0.30
9.0.31
9.0.33
9.0.34
9.0.35
9.0.36
9.0.37
9.0.38
9.0.39
9.0.40
9.0.41
9.0.43
9.0.44
9.0.45
9.0.46
9.0.48
9.0.50
9.0.52
9.0.53
9.0.54
9.0.55
9.0.56
9.0.58
9.0.59
9.0.60
9.0.62
9.0.63
9.0.64
9.0.65
9.0.67
9.0.68
9.0.69
9.0.70
9.0.71
9.0.72
9.0.73
9.0.74
9.0.75
9.0.76
9.0.78
9.0.79
9.0.80
9.0.81
9.0.82
9.0.83
9.0.84
9.0.85
9.0.86
9.0.87
9.0.88
9.0.89
9.0.90
9.0.91
9.0.93
9.0.94
9.0.95
9.0.96
9.0.97
9.0.98
9.0.99
9.0.100
9.0.102
9.0.104
9.0.105
9.0.106