CVE-2025-53506

CWE-400 — Uncontrolled Resource Consumption7 documents6 sources

Severity

7.5HIGH

EPSS

0.4%

top 37.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Tomcat Apache Tomcat

Timeline

PublishedJul 10

Description

Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other EOL versions may also be affected. Users are recommended to…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages7 packages

▶Mavenorg.apache.tomcat:tomcat-coyote11.0.0-M1 — 11.0.9+3

▶Mavenorg.apache.tomcat.embed:tomcat-embed-core9.0.0.M1 — 9.0.107+3

▶NVDapache/tomcat9.0.0 — 9.0.106+2

▶CVEListV5apache_software_foundation/apache_tomcat11.0.0-M1 — 11.0.8+3

▶Debiantomcat9< 9.0.107-0+deb11u1+3

🔴Vulnerability Details

OSV

CVE-2025-53506: Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the m↗2025-07-10

▶

GHSA

Apache Tomcat Coyote vulnerable to Denial of Service via excessive HTTP/2 streams↗2025-07-10

▶

CVEList

Apache Tomcat: DoS via excessive h2 streams at connection start↗2025-07-10

▶

OSV

Apache Tomcat Coyote vulnerable to Denial of Service via excessive HTTP/2 streams↗2025-07-10

▶

📋Vendor Advisories

Red Hat

tomcat: Apache Tomcat denial of service↗2025-07-10

▶

Debian

CVE-2025-53506: tomcat10 - Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 cl...↗2025

▶