Login Sign Up

CVE-2025-52434

7.5 HIGH
Denial of Service

📋 TL;DR

A race condition vulnerability in Apache Tomcat's APR/Native connector when handling HTTP/2 connection closures can lead to crashes or denial of service. This affects Tomcat versions 9.0.0.M1 through 9.0.106 and EOL versions 8.5.0 through 8.5.100. Systems using the APR/Native connector with HTTP/2 enabled are vulnerable.

💻 Affected Systems

Products:
  • Apache Tomcat
Versions: 9.0.0.M1 through 9.0.106, and EOL versions 8.5.0 through 8.5.100
Operating Systems: All operating systems running affected Tomcat versions
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when using APR/Native connector with HTTP/2 enabled. Default configurations may not be affected.

📦 What is this software?

Tomcat by Apache

View all CVEs affecting Tomcat →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption through denial of service, potentially causing application downtime and availability issues.

🟠

Likely Case

Intermittent crashes or instability of Tomcat instances, leading to degraded performance and service interruptions.

🟢

If Mitigated

Minimal impact if HTTP/2 is disabled or APR/Native connector is not used.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires specific timing conditions and HTTP/2 usage, making it moderately complex but achievable.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.0.107

Vendor Advisory: https://lists.apache.org/thread/gxgh65004f25y8519coth6w7vchww030

Restart Required: Yes

Instructions:

1. Download Tomcat 9.0.107 or later from Apache website. 2. Stop Tomcat service. 3. Backup current installation. 4. Replace with patched version. 5. Restart Tomcat service.

🔧 Temporary Workarounds

Disable HTTP/2

all

Disable HTTP/2 protocol to prevent exploitation of this race condition.

Edit server.xml and remove or comment out HTTP/2 connector configurations

Use alternative connector

all

Switch from APR/Native connector to NIO or NIO2 connector.

Modify server.xml to use <Connector protocol="org.apache.coyote.http11.Http11NioProtocol" ...>

🧯 If You Can't Patch

  • Implement network segmentation to restrict access to Tomcat instances
  • Deploy web application firewall (WAF) with rate limiting and anomaly detection

🔍 How to Verify

Check if Vulnerable:

Check Tomcat version and connector configuration in server.xml for APR/Native with HTTP/2.

Check Version:

catalina.sh version (Unix) or version.bat (Windows)

Verify Fix Applied:

Verify Tomcat version is 9.0.107 or higher and check that service remains stable under load.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected connection resets
  • Thread dump showing race conditions
  • HTTP/2 connection closure errors

Network Indicators:

  • Abnormal HTTP/2 connection termination patterns
  • Increased 5xx errors from Tomcat

SIEM Query:

source="tomcat" AND ("connection reset" OR "race condition" OR "HTTP/2 error")

📊 Metadata

CVE ID: CVE-2025-52434
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-362
EPSS Score: 0.27% exploit probability (50.4th percentile)
Published: July 10, 2025
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-52434, you might also want to check these:

CVE-2025-43275 9.8

A race condition vulnerability in macOS allows malicious applications to escape their sandbox restri...

Same vulnerability type (CWE-362)
CVE-2021-32810 9.8

A race condition in crossbeam-deque Rust library versions before 0.7.4 and 0.8.0 allows tasks in wor...

Same vulnerability type (CWE-362)
CVE-2025-30444 9.8

A race condition vulnerability in macOS SMB client allows attackers to cause system termination (ker...

Same vulnerability type (CWE-362)