CVE-2025-53506 – This vulnerability allows an attacker to cause ... (How to Fix)

Q: What is the severity of CVE-2025-53506?

CVE-2025-53506 has a CVSS score of 7.5 (HIGH). This vulnerability allows an attacker to cause a denial-of-service (DoS) condition in Apache Tomcat by exploiting an HTTP/2 protocol flaw. An uncooperative HTTP/2 client can prevent the server from properly limiting concurrent streams, leading to uncontrolled resource consumption. This affects Tomcat versions 9.0.0.M1 through 9.0.106, 10.1.0-M1 through 10.1.42, and 11.0.0-M1 through 11.0.8, as well as some EOL versions.

📋 TL;DR

This vulnerability allows an attacker to cause a denial-of-service (DoS) condition in Apache Tomcat by exploiting an HTTP/2 protocol flaw. An uncooperative HTTP/2 client can prevent the server from properly limiting concurrent streams, leading to uncontrolled resource consumption. This affects Tomcat versions 9.0.0.M1 through 9.0.106, 10.1.0-M1 through 10.1.42, and 11.0.0-M1 through 11.0.8, as well as some EOL versions.

💻 Affected Systems

Products:

Apache Tomcat

Versions: 9.0.0.M1 through 9.0.106, 10.1.0-M1 through 10.1.42, 11.0.0-M1 through 11.0.8, and EOL versions 8.5.0 through 8.5.100

Operating Systems: All operating systems running affected Tomcat versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Tomcat installations with HTTP/2 enabled (default in affected versions). HTTP/1.x connections are not affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to resource exhaustion, affecting all HTTP/2 traffic to the Tomcat server.

🟠

Likely Case

Degraded performance or intermittent service disruptions under targeted attack.

🟢

If Mitigated

Minimal impact with proper network segmentation and rate limiting in place.

🌐 Internet-Facing: HIGH - HTTP/2 servers exposed to the internet are directly vulnerable to unauthenticated DoS attacks.

🏢 Internal Only: MEDIUM - Internal attackers could still cause service disruption, but attack surface is reduced.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending malformed HTTP/2 frames, which can be done with standard HTTP/2 client libraries.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.0.9, 10.1.43, or 9.0.107

Vendor Advisory: https://lists.apache.org/thread/p09775q0rd185m6zz98krg0fp45j8kr0

Restart Required: Yes

Instructions:

1. Download patched version from Apache Tomcat website. 2. Stop Tomcat service. 3. Backup configuration files. 4. Replace Tomcat installation with patched version. 5. Restore configuration files. 6. Start Tomcat service.

🔧 Temporary Workarounds

Disable HTTP/2

all

Disable HTTP/2 protocol support in Tomcat configuration

Edit server.xml and remove or comment out HTTP/2 connector configuration

Implement Rate Limiting

linux

Use network-level rate limiting to restrict HTTP/2 connections

iptables -A INPUT -p tcp --dport 8443 -m connlimit --connlimit-above 100 --connlimit-mask 32 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to limit access to Tomcat HTTP/2 ports
Deploy WAF or load balancer with HTTP/2 anomaly detection capabilities

🔍 How to Verify

Check if Vulnerable:

Check Tomcat version and verify HTTP/2 is enabled in server.xml configuration

Check Version:

catalina.sh version (Unix) or catalina.bat version (Windows)

Verify Fix Applied:

Verify Tomcat version is 11.0.9+, 10.1.43+, or 9.0.107+ and test HTTP/2 functionality

📡 Detection & Monitoring

Log Indicators:

Unusual number of HTTP/2 connection attempts
Resource exhaustion warnings in Tomcat logs
Increased error rates for HTTP/2 requests

Network Indicators:

High volume of HTTP/2 connections from single sources
Malformed HTTP/2 frames in network traffic

SIEM Query:

source="tomcat" AND ("HTTP/2" OR "h2") AND ("error" OR "timeout" OR "resource")

📊 Metadata

CVE ID: CVE-2025-53506

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

EPSS Score: 0.22% exploit probability (44.4th percentile)

Published: July 10, 2025

Last Updated: November 4, 2025

🔗 References

https://lists.apache.org/thread/p09775q0rd185m6zz98krg0fp45j8kr0 Issue Tracking,Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/07/10/13
https://lists.debian.org/debian-lts-announce/2025/07/msg00009.html

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-53506, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Tomcat by Apache

Tomcat by Apache

Tomcat by Apache

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable HTTP/2

Implement Rate Limiting

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities