VYPR
← All advisories
High severityNVD Advisory· Published Jul 14, 2020· Updated Aug 4, 2024

CVE-2020-13935

CVE-2020-13935

Description

The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache Tomcat WebSocket payload length validation flaw leads to infinite loop and denial of service (DoS).

The vulnerability resides in the WebSocket frame processing logic of Apache Tomcat. The payload length field in a WebSocket frame is not properly validated, allowing an attacker to send a frame with an invalid payload length that triggers an infinite loop in the server. This issue affects multiple Tomcat versions: 7.0.27 to 7.0.104, 8.5.0 to 8.5.56, 9.0.0.M1 to 9.0.36, and 10.0.0-M1 to 10.0.0-M6 [1][2][3][4].

An attacker can exploit this vulnerability by sending a specially crafted WebSocket frame with an invalid payload length to a vulnerable Tomcat server. No authentication is required, and the attack can be performed over a network connection where WebSocket communication is enabled. By sending multiple such requests, the attacker can cause the server to enter an infinite loop repeatedly, consuming CPU resources and leading to a denial of service [1].

The impact of successful exploitation is a denial of service condition, which can render the Tomcat server unresponsive. This can affect the availability of web applications hosted on the server.

Apache Tomcat has released fixes for this vulnerability. Users should upgrade to Tomcat 7.0.105 or later, 8.5.57 or later, 9.0.37 or later, or 10.0.0-M7 or later. Note that Tomcat 7.0.x has reached end of life and no further security fixes will be provided; users are strongly advised to migrate to a supported branch [1].

References
  1. Apache Tomcat® - Apache Tomcat 7 vulnerabilities
  2. Apache Tomcat® - Apache Tomcat 8 vulnerabilities
  3. Apache Tomcat® - Apache Tomcat 9 vulnerabilities
  4. Apache Tomcat® - Apache Tomcat 10 vulnerabilities

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.tomcat:tomcatMaven
>= 10.0.0-M1, < 10.0.0-M710.0.0-M7
org.apache.tomcat:tomcatMaven
>= 9.0.0.M1, < 9.0.379.0.37
org.apache.tomcat:tomcatMaven
>= 8.5.0, < 8.5.578.5.57
org.apache.tomcat:tomcatMaven
>= 7.0.27, < 7.0.1057.0.105

Affected products

32

Patches

5
4c04982870d6

Fix BZ 64563 - additional payload length validation

https://github.com/apache/tomcatMark ThomasJun 30, 2020via ghsa
commit
2 files changed · +7 0
  • java/org/apache/catalina/websocket/LocalStrings.properties+1 0 modified
    @@ -14,6 +14,7 @@
 # limitations under the License.
 
 frame.eos=The end of the stream was reached before the expected number of payload bytes could be read
+frame.invalidLength=An invalid payload length was specified
 frame.invalidUtf8=A sequence of bytes was received that did not represent valid UTF-8
 frame.notMasked=The client frame was not masked but all client frames must be masked
 frame.readEos=The end of the stream was reached when trying to read the first byte of a new WebSocket frame
  • java/org/apache/catalina/websocket/WsFrame.java+6 0 modified
    @@ -84,6 +84,12 @@ private WsFrame(byte first,
             blockingRead(processor, extended);
             payloadLength = Conversions.byteArrayToLong(extended);
         }
+        // The most significant bit of those 8 bytes is required to be zero
+        // (see RFC 6455, section 5.2). If the most significant bit is set,
+        // the resulting payload length will be negative so test for that.
+        if (payloadLength < 0) {
+            throw new IOException(sm.getString("frame.invalidLength"));
+        }
 
         if (isControl()) {
             if (payloadLength > 125) {
12d715676038

Fix BZ 64563 - additional payload length validation

https://github.com/apache/tomcatMark ThomasJun 29, 2020via ghsa
commit
3 files changed · +16 0
  • java/org/apache/tomcat/websocket/LocalStrings.properties+1 0 modified
    @@ -71,6 +71,7 @@ wsFrame.noContinuation=A new message was started when a continuation frame was e
 wsFrame.notMasked=The client frame was not masked but all client frames must be masked
 wsFrame.oneByteCloseCode=The client sent a close frame with a single byte payload which is not valid
 wsFrame.partialHeaderComplete=WebSocket frame received. fin [{0}], rsv [{1}], OpCode [{2}], payload length [{3}]
+wsFrame.payloadMsbInvalid=An invalid WebSocket frame was received - the most significant bit of a 64-bit payload was illegally set
 wsFrame.sessionClosed=The client data cannot be processed because the session has already been closed
 wsFrame.suspendRequested=Suspend of the message receiving has already been requested.
 wsFrame.textMessageTooBig=The decoded text message was too big for the output buffer and the endpoint does not support partial messages
  • java/org/apache/tomcat/websocket/WsFrameBase.java+7 0 modified
    @@ -261,6 +261,13 @@ private boolean processRemainingHeader() throws IOException {
         } else if (payloadLength == 127) {
             payloadLength = byteArrayToLong(inputBuffer.array(),
                     inputBuffer.arrayOffset() + inputBuffer.position(), 8);
+            // The most significant bit of those 8 bytes is required to be zero
+            // (see RFC 6455, section 5.2). If the most significant bit is set,
+            // the resulting payload length will be negative so test for that.
+            if (payloadLength < 0) {
+                throw new WsIOException(
+                        new CloseReason(CloseCodes.PROTOCOL_ERROR, sm.getString("wsFrame.payloadMsbInvalid")));
+            }
             inputBuffer.position(inputBuffer.position() + 8);
         }
         if (Util.isControl(opCode)) {
  • webapps/docs/changelog.xml+8 0 modified
    @@ -123,6 +123,14 @@
       </fix>
     </changelog>
   </subsection>
+  <subsection name="WebSocket">
+    <changelog>
+      <fix>
+        <bug>64563</bug>: Add additional validation of payload length for
+        WebSocket messages. (markt)
+      </fix>
+    </changelog>
+  </subsection>
   <subsection name="Other">
     <changelog>
       <fix>
1c1c77b0efb6

Fix BZ 64563 - additional payload length validation

https://github.com/apache/tomcatMark ThomasJun 29, 2020via ghsa
commit
3 files changed · +16 0
  • java/org/apache/tomcat/websocket/LocalStrings.properties+1 0 modified
    @@ -71,6 +71,7 @@ wsFrame.noContinuation=A new message was started when a continuation frame was e
 wsFrame.notMasked=The client frame was not masked but all client frames must be masked
 wsFrame.oneByteCloseCode=The client sent a close frame with a single byte payload which is not valid
 wsFrame.partialHeaderComplete=WebSocket frame received. fin [{0}], rsv [{1}], OpCode [{2}], payload length [{3}]
+wsFrame.payloadMsbInvalid=An invalid WebSocket frame was received - the most significant bit of a 64-bit payload was illegally set
 wsFrame.sessionClosed=The client data cannot be processed because the session has already been closed
 wsFrame.suspendRequested=Suspend of the message receiving has already been requested.
 wsFrame.textMessageTooBig=The decoded text message was too big for the output buffer and the endpoint does not support partial messages
  • java/org/apache/tomcat/websocket/WsFrameBase.java+7 0 modified
    @@ -261,6 +261,13 @@ private boolean processRemainingHeader() throws IOException {
         } else if (payloadLength == 127) {
             payloadLength = byteArrayToLong(inputBuffer.array(),
                     inputBuffer.arrayOffset() + inputBuffer.position(), 8);
+            // The most significant bit of those 8 bytes is required to be zero
+            // (see RFC 6455, section 5.2). If the most significant bit is set,
+            // the resulting payload length will be negative so test for that.
+            if (payloadLength < 0) {
+                throw new WsIOException(
+                        new CloseReason(CloseCodes.PROTOCOL_ERROR, sm.getString("wsFrame.payloadMsbInvalid")));
+            }
             inputBuffer.position(inputBuffer.position() + 8);
         }
         if (Util.isControl(opCode)) {
  • webapps/docs/changelog.xml+8 0 modified
    @@ -138,6 +138,14 @@
       </fix>
     </changelog>
   </subsection>
+  <subsection name="WebSocket">
+    <changelog>
+      <fix>
+        <bug>64563</bug>: Add additional validation of payload length for
+        WebSocket messages. (markt)
+      </fix>
+    </changelog>
+  </subsection>
   <subsection name="Web Applications">
     <changelog>
       <update>
40fa74c74822

Fix BZ 64563 - additional payload length validation

https://github.com/apache/tomcatMark ThomasJun 29, 2020via ghsa
commit
3 files changed · +16 0
  • java/org/apache/tomcat/websocket/LocalStrings.properties+1 0 modified
    @@ -71,6 +71,7 @@ wsFrame.noContinuation=A new message was started when a continuation frame was e
 wsFrame.notMasked=The client frame was not masked but all client frames must be masked
 wsFrame.oneByteCloseCode=The client sent a close frame with a single byte payload which is not valid
 wsFrame.partialHeaderComplete=WebSocket frame received. fin [{0}], rsv [{1}], OpCode [{2}], payload length [{3}]
+wsFrame.payloadMsbInvalid=An invalid WebSocket frame was received - the most significant bit of a 64-bit payload was illegally set
 wsFrame.sessionClosed=The client data cannot be processed because the session has already been closed
 wsFrame.suspendRequested=Suspend of the message receiving has already been requested.
 wsFrame.textMessageTooBig=The decoded text message was too big for the output buffer and the endpoint does not support partial messages
  • java/org/apache/tomcat/websocket/WsFrameBase.java+7 0 modified
    @@ -261,6 +261,13 @@ private boolean processRemainingHeader() throws IOException {
         } else if (payloadLength == 127) {
             payloadLength = byteArrayToLong(inputBuffer.array(),
                     inputBuffer.arrayOffset() + inputBuffer.position(), 8);
+            // The most significant bit of those 8 bytes is required to be zero
+            // (see RFC 6455, section 5.2). If the most significant bit is set,
+            // the resulting payload length will be negative so test for that.
+            if (payloadLength < 0) {
+                throw new WsIOException(
+                        new CloseReason(CloseCodes.PROTOCOL_ERROR, sm.getString("wsFrame.payloadMsbInvalid")));
+            }
             inputBuffer.position(inputBuffer.position() + 8);
         }
         if (Util.isControl(opCode)) {
  • webapps/docs/changelog.xml+8 0 modified
    @@ -127,6 +127,14 @@
       </fix>
     </changelog>
   </subsection>
+  <subsection name="WebSocket">
+    <changelog>
+      <fix>
+        <bug>64563</bug>: Add additional validation of payload length for
+        WebSocket messages. (markt)
+      </fix>
+    </changelog>
+  </subsection>
   <subsection name="Other">
     <changelog>
       <fix>
f9f75c14678b

Fix BZ 64563 - additional payload length validation

https://github.com/apache/tomcatMark ThomasJun 29, 2020via ghsa
commit
3 files changed · +12 0
  • java/org/apache/tomcat/websocket/LocalStrings.properties+1 0 modified
    @@ -64,6 +64,7 @@ wsFrame.noContinuation=A new message was started when a continuation frame was e
 wsFrame.notMasked=The client frame was not masked but all client frames must be masked
 wsFrame.oneByteCloseCode=The client sent a close frame with a single byte payload which is not valid
 wsFrame.partialHeaderComplete=WebSocket frame received. fin [{0}], rsv [{1}], OpCode [{2}], payload length [{3}]
+wsFrame.payloadMsbInvalid=An invalid WebSocket frame was received - the most significant bit of a 64-bit payload was illegally set
 wsFrame.sessionClosed=The client data cannot be processed because the session has already been closed
 wsFrame.textMessageTooBig=The decoded text message was too big for the output buffer and the endpoint does not support partial messages
 wsFrame.wrongRsv=The client frame set the reserved bits to [{0}] for a message with opCode [{1}] which was not supported by this endpoint
  • java/org/apache/tomcat/websocket/WsFrameBase.java+7 0 modified
    @@ -256,6 +256,13 @@ private boolean processRemainingHeader() throws IOException {
             readPos += 2;
         } else if (payloadLength == 127) {
             payloadLength = byteArrayToLong(inputBuffer, readPos, 8);
+            // The most significant bit of those 8 bytes is required to be zero
+            // (see RFC 6455, section 5.2). If the most significant bit is set,
+            // the resulting payload length will be negative so test for that.
+            if (payloadLength < 0) {
+                throw new WsIOException(
+                        new CloseReason(CloseCodes.PROTOCOL_ERROR, sm.getString("wsFrame.payloadMsbInvalid")));
+            }
             readPos += 8;
         }
         if (Util.isControl(opCode)) {
  • webapps/docs/changelog.xml+4 0 modified
    @@ -105,6 +105,10 @@
         Include the target URL in the log message when a WebSocket connection
         fails. (markt)
       </add>
+      <fix>
+        <bug>64563</bug>: Add additional validation of payload length for
+        WebSocket messages. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Other">

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

32

News mentions

0

No linked articles in our index yet.