Warning: Multiple Vulnerabilities in Apache Tomcat Leading to Denial of Service, Patch Immediately!

Image
Decorative image
Published : 07/07/2025
  • Last update:  07/07/2025
  • Affected software: Apache Tomcat
  • Affected versions: 9.0.0 - 9.0.106
        * Type:

        → CWE-20: Improper Input Validation
        → CWE-399: Resource Management Errors
        → CWE-400: Uncontrolled Resource Consumption (‘Resource Exhaustion’)
    * CVE/CVSS:

        → CVE-2025-52434: CVSS 6.6 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green)
        → CVE-2025-52520: CVSS 6.6 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green)
        → CVE-2025-53506: CVSS 6.6 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green) 

 

Sources

Apache Foundation https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.107
 

Risks

Apache Tomcat is a popular open-source server used to host and manage Java-based web applications. CVE-2025-52434, CVE-2025-52520 and CVE-2025-53506 are 3 medium-severity vulnerabilities that allow a remote attacker to send specially crafted HTTP requests to the server and perform a denial of service (DoS) attack. Exploiting these flaws could allow threat actors to severely compromise the availability of systems. It is crucial for organizations to update their Apache Tomcat installations to mitigate this risk and ensure business continuity.
 

Description

CVE-2025-52434 exists due to insufficient validation of user-supplied input when handling HTTP/2 requests with APR/Native. A remote attacker can send specially crafted HTTP requests to the server and perform a denial of service (DoS) attack.

CVE-2025-52520 exists due to overflow in file upload limit. A remote attacker can send specially crafted requests to the server and perform a denial of service (DoS) attack.

CVE-2025-53506 exists due to application does not properly control consumption of internal resources when handling excessive HTTP/2 streams. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
 

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
  
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
  
In case of an intrusion, you can report an incident via:< https://ccb.belgium.be/cert/report-incident>.
 
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

CVE Program: https://www.cve.org/CVERecord?id=CVE-2025-52434
CVE Program: https://www.cve.org/CVERecord?id=CVE-2025-52520
CVE Program: https://www.cve.org/CVERecord?id=CVE-2025-53506