Login Sign Up

CVE-2021-25122

7.5 HIGH

📋 TL;DR

This vulnerability in Apache Tomcat allows HTTP/2 cleartext (h2c) connections to leak request data between users. When processing h2c requests, Tomcat could duplicate headers and limited body content from one user's request to another's response, potentially exposing sensitive information. Affected users are those running vulnerable Tomcat versions with h2c enabled.

💻 Affected Systems

Products:
  • Apache Tomcat
Versions: 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61
Operating Systems: All operating systems running Tomcat
Default Config Vulnerable: ✅ No
Notes: Only affects configurations with HTTP/2 cleartext (h2c) enabled. HTTP/2 over TLS (h2) is not affected.

📦 What is this software?

Agile Plm by Oracle

View all CVEs affecting Agile Plm →

Agile Plm by Oracle

View all CVEs affecting Agile Plm →

Communications Cloud Native Core Policy by Oracle

View all CVEs affecting Communications Cloud Native Core Policy →

Communications Cloud Native Core Security Edge Protection Proxy by Oracle

View all CVEs affecting Communications Cloud Native Core Security Edge Protection Proxy →

Communications Instant Messaging Server by Oracle

View all CVEs affecting Communications Instant Messaging Server →

Database by Oracle

View all CVEs affecting Database →

Database by Oracle

View all CVEs affecting Database →

Database by Oracle

View all CVEs affecting Database →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Graph Server And Client by Oracle

View all CVEs affecting Graph Server And Client →

Graph Server And Client by Oracle

View all CVEs affecting Graph Server And Client →

Instantis Enterprisetrack by Oracle

View all CVEs affecting Instantis Enterprisetrack →

Instantis Enterprisetrack by Oracle

View all CVEs affecting Instantis Enterprisetrack →

Instantis Enterprisetrack by Oracle

View all CVEs affecting Instantis Enterprisetrack →

Managed File Transfer by Oracle

View all CVEs affecting Managed File Transfer →

Managed File Transfer by Oracle

View all CVEs affecting Managed File Transfer →

Mysql Enterprise Monitor by Oracle

View all CVEs affecting Mysql Enterprise Monitor →

Siebel Ui Framework by Oracle

View all CVEs affecting Siebel Ui Framework →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

Tomcat by Apache

View all CVEs affecting Tomcat →

⚠️ Risk & Real-World Impact

🔴

Worst Case

User A's sensitive data (authentication tokens, personal information, API keys) appears in User B's response, leading to data breach, session hijacking, or privilege escalation.

🟠

Likely Case

Information disclosure where users see fragments of other users' requests, potentially exposing session IDs, form data, or API parameters.

🟢

If Mitigated

Limited exposure of non-sensitive headers or request fragments if proper input validation and output encoding are in place elsewhere.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires h2c connections and concurrent requests. The vulnerability is in request processing logic, not requiring special payloads.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.0.2, 9.0.42, 8.5.62

Vendor Advisory: https://lists.apache.org/thread.html/r7b95bc248603360501f18c8eb03bb6001ec0ee3296205b34b07105b7%40%3Cannounce.tomcat.apache.org%3E

Restart Required: Yes

Instructions:

1. Download patched version from Apache Tomcat website. 2. Stop Tomcat service. 3. Backup configuration files. 4. Replace Tomcat installation with patched version. 5. Restore configuration files. 6. Start Tomcat service.

🔧 Temporary Workarounds

Disable h2c protocol

all

Disable HTTP/2 cleartext connections to prevent exploitation

Edit server.xml and remove or comment out <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> from Connector configuration

🧯 If You Can't Patch

  • Disable HTTP/2 cleartext (h2c) in Tomcat configuration
  • Implement network segmentation to isolate Tomcat instances from untrusted networks

🔍 How to Verify

Check if Vulnerable:

Check Tomcat version and verify h2c is enabled in server.xml configuration

Check Version:

java -cp "$CATALINA_HOME/lib/catalina.jar" org.apache.catalina.util.ServerInfo

Verify Fix Applied:

Verify Tomcat version is 10.0.2+, 9.0.42+, or 8.5.62+ and test h2c connections for data leakage

📡 Detection & Monitoring

Log Indicators:

  • Unusual request patterns in h2c connections
  • Multiple users receiving similar response data

Network Indicators:

  • HTTP/2 cleartext traffic to Tomcat ports
  • Abnormal request/response patterns in h2c sessions

SIEM Query:

source="tomcat_access.log" protocol="HTTP/2.0" (response_size > normal OR duplicate_content)

📊 Metadata

CVE ID: CVE-2021-25122
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-200
Published: March 1, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-25122, you might also want to check these:

CVE-2025-61481 10.0

MikroTik RouterOS and SwOS expose their WebFig management interface over unencrypted HTTP by default...

Same vulnerability type (CWE-200)
CVE-2025-53624 10.0

The Docusaurus gists plugin versions before 4.0.0 expose GitHub Personal Access Tokens in client-sid...

Same vulnerability type (CWE-200)
CVE-2023-49103 10.0

This vulnerability in ownCloud's graphapi app exposes PHP configuration details (phpinfo) via a thir...

Same vulnerability type (CWE-200)