Primary

Context

Apache Tomcat HTTP/2 Denial-of-Service Vulnerability

Vulnerability

Patched

A denial-of-service vulnerability has been identified in Apache Tomcat's HTTP/2 implementation, affecting versions 11.0.0-M1 prior to 11.0.9, 10.1.0-M1 prior to 10.1.43, and 9.0.0-M1 prior to 9.0.107. This vulnerability is susceptible to the 'made you reset' attack, which can lead to an OutOfMemoryError. Older, end-of-life versions may also be affected.

Impact

Exploitation of this vulnerability causes a denial-of-service condition, typically resulting in an OutOfMemoryError.

Remediation

Users should upgrade to Apache Tomcat 11.0.10 or later, 10.1.44 or later, or 9.0.108 or later.

Added: Sep 1, 2025, 7:22 PM

Updated: Sep 1, 2025, 7:22 PM

Vulnerability Rating

Custom Algorithm

spread

8.8

impact

2.5

exploitability

6.4

remediation

7.7

relevance

0.3

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

8.8

impact

2.5

exploitability

6.4

remediation

7.7

relevance

0.3

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache Tomcat HTTP/2 Denial-of-Service Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Apache Tomcat

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating