Primary

Context

Apache Tomcat Uncontrolled Resource Consumption Vulnerability Leading to Denial-of-Service in HTTP/2

Vulnerability

Patched

A denial-of-service vulnerability has been identified in Apache Tomcat versions 11.0.0-M1 prior to 11.0.8, 10.1.0-M1 prior to 10.1.42, and 9.0.0-M1 prior to 9.0.106. This vulnerability arises from uncontrolled resource consumption when an HTTP/2 client fails to acknowledge the initial settings frame that limits the maximum allowed concurrent streams.

Impact

Exploitation of this vulnerability can lead to uncontrolled resource consumption, causing a denial-of-service condition on the server.

Remediation

Users are advised to upgrade to Apache Tomcat 11.0.9, 10.1.43, or 9.0.107.

Added: Jul 10, 2025, 8:24 PM

Updated: Jul 10, 2025, 8:24 PM

Vulnerability Rating

Custom Algorithm

spread

8.8

impact

2.5

exploitability

7.6

remediation

7.7

relevance

0.2

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

8.8

impact

2.5

exploitability

7.6

remediation

7.7

relevance

0.2

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache Tomcat Uncontrolled Resource Consumption Vulnerability Leading to Denial-of-Service in HTTP/2

Vulnerability

Impact

Remediation

Affected Products

Apache Tomcat

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating