High severityNVD Advisory· Published Dec 3, 2020· Updated Feb 13, 2025
Apache Tomcat: Request header mix-up between HTTP/2 streams
CVE-2020-17527
Description
While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Tomcat HTTP/2 connections could leak request header values between streams, potentially exposing sensitive data across requests.
Vulnerability
Overview
CVE-2020-17527 is an information disclosure vulnerability in Apache Tomcat's HTTP/2 implementation. The root cause is that Tomcat could incorrectly reuse an HTTP request header value from a previous stream on the same HTTP/2 connection for the request associated with the subsequent stream [1][2][3]. This flaw affects Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39, and 8.5.0 to 8.5.59 [4].
Exploitation
Conditions
An attacker must be able to send HTTP/2 requests to an affected Tomcat server. While the reuse of header values would most likely cause an error and force the closure of the HTTP/2 connection, it is possible that the leaked header value could be observed by the attacker before the connection is terminated [4]. No authentication is required if the HTTP/2 connector is exposed to untrusted clients.
Impact
If successfully exploited, an attacker could obtain header values from other requests processed on the same HTTP/2 connection. This could include sensitive information such as authentication tokens, session cookies, or custom headers, leading to further compromise of the application or user accounts [4].
Mitigation
Apache has released fixed versions: Tomcat 10.0.0-M10+, 9.0.40+, and 8.5.60+ [1][2][3]. Users should upgrade immediately. No workarounds are documented; the only remediation is to apply the patch. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of this writing.
References
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tomcat:tomcat-coyoteMaven | >= 10.0.0-M1, < 10.0.0-M10 | 10.0.0-M10 |
org.apache.tomcat:tomcat-coyoteMaven | >= 9.0.0-M1, < 9.0.40 | 9.0.40 |
org.apache.tomcat:tomcat-coyoteMaven | >= 8.5.0, < 8.5.60 | 8.5.60 |
Affected products
21- osv-coords20 versionspkg:bitnami/tomcatpkg:maven/org.apache.tomcat/tomcat-coyotepkg:rpm/opensuse/tomcat10&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/tomcat&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/tomcat&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/tomcat&distro=openSUSE%20Tumbleweedpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP1pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP2pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/tomcat&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
>= 8.5.1, < 8.5.60+ 19 more
- (no CPE)range: >= 8.5.1, < 8.5.60
- (no CPE)range: >= 10.0.0-M1, < 10.0.0-M10
- (no CPE)range: < 10.1.14-1.1
- (no CPE)range: < 9.0.36-lp151.3.39.1
- (no CPE)range: < 9.0.36-lp152.2.16.1
- (no CPE)range: < 9.0.36-8.4
- (no CPE)range: < 9.0.36-3.74.1
- (no CPE)range: < 9.0.36-3.74.1
- (no CPE)range: < 9.0.36-4.53.1
- (no CPE)range: < 9.0.36-3.18.1
- (no CPE)range: < 9.0.36-3.58.1
- (no CPE)range: < 9.0.36-3.58.1
- (no CPE)range: < 9.0.115-3.160.1
- (no CPE)range: < 9.0.36-3.74.1
- (no CPE)range: < 9.0.36-3.58.1
- (no CPE)range: < 9.0.36-3.58.1
- (no CPE)range: < 9.0.36-3.74.1
- (no CPE)range: < 9.0.115-3.160.1
- (no CPE)range: < 9.0.36-3.58.1
- (no CPE)range: < 9.0.36-3.58.1
- Apache Software Foundation/Apache Tomcatv5Range: Apache Tomcat 10 10.0.0-M1 to 10.0.0-M9
Patches
321e3408671aaFix BZ 64830 - concurrency issue in HPACK decoder
2 files changed · +7 −8
java/org/apache/coyote/http2/HpackDecoder.java+4 −8 modified@@ -72,8 +72,6 @@ public class HpackDecoder { private volatile boolean countedCookie; private volatile int headerSize = 0; - private final StringBuilder stringBuilder = new StringBuilder(); - public HpackDecoder(int maxMemorySize) { this.maxMemorySizeHard = maxMemorySize; this.maxMemorySizeSoft = maxMemorySize; @@ -222,19 +220,17 @@ private String readHpackString(ByteBuffer buffer) throws HpackException { if (huffman) { return readHuffmanString(length, buffer); } + StringBuilder stringBuilder = new StringBuilder(length); for (int i = 0; i < length; ++i) { stringBuilder.append((char) buffer.get()); } - String ret = stringBuilder.toString(); - stringBuilder.setLength(0); - return ret; + return stringBuilder.toString(); } private String readHuffmanString(int length, ByteBuffer buffer) throws HpackException { + StringBuilder stringBuilder = new StringBuilder(length); HPackHuffman.decode(buffer, length, stringBuilder); - String ret = stringBuilder.toString(); - stringBuilder.setLength(0); - return ret; + return stringBuilder.toString(); } private String handleIndexedHeaderName(int index) throws HpackException {
webapps/docs/changelog.xml+3 −0 modified@@ -103,6 +103,9 @@ Add additional debug logging for I/O issues when communicating with the user agent. (markt) </add> + <fix> + <bug>64830</bug>: Fix concurrency issue in HPACK decoder. (markt) + </fix> </changelog> </subsection> <subsection name="WebSocket">
8d2fe6894d6eFix BZ 64830 - concurrency issue in HPACK decoder
2 files changed · +7 −8
java/org/apache/coyote/http2/HpackDecoder.java+4 −8 modified@@ -72,8 +72,6 @@ public class HpackDecoder { private volatile boolean countedCookie; private volatile int headerSize = 0; - private final StringBuilder stringBuilder = new StringBuilder(); - HpackDecoder(int maxMemorySize) { this.maxMemorySizeHard = maxMemorySize; this.maxMemorySizeSoft = maxMemorySize; @@ -222,19 +220,17 @@ private String readHpackString(ByteBuffer buffer) throws HpackException { if (huffman) { return readHuffmanString(length, buffer); } + StringBuilder stringBuilder = new StringBuilder(length); for (int i = 0; i < length; ++i) { stringBuilder.append((char) buffer.get()); } - String ret = stringBuilder.toString(); - stringBuilder.setLength(0); - return ret; + return stringBuilder.toString(); } private String readHuffmanString(int length, ByteBuffer buffer) throws HpackException { + StringBuilder stringBuilder = new StringBuilder(length); HPackHuffman.decode(buffer, length, stringBuilder); - String ret = stringBuilder.toString(); - stringBuilder.setLength(0); - return ret; + return stringBuilder.toString(); } private String handleIndexedHeaderName(int index) throws HpackException {
webapps/docs/changelog.xml+3 −0 modified@@ -132,6 +132,9 @@ Add additional debug logging for I/O issues when communicating with the user agent. (markt) </add> + <fix> + <bug>64830</bug>: Fix concurrency issue in HPACK decoder. (markt) + </fix> </changelog> </subsection> <subsection name="Jasper">
d56293f816d6Fix BZ 64830 - concurrency issue in HPACK decoder
2 files changed · +7 −8
java/org/apache/coyote/http2/HpackDecoder.java+4 −8 modified@@ -72,8 +72,6 @@ public class HpackDecoder { private volatile boolean countedCookie; private volatile int headerSize = 0; - private final StringBuilder stringBuilder = new StringBuilder(); - HpackDecoder(int maxMemorySize) { this.maxMemorySizeHard = maxMemorySize; this.maxMemorySizeSoft = maxMemorySize; @@ -222,19 +220,17 @@ private String readHpackString(ByteBuffer buffer) throws HpackException { if (huffman) { return readHuffmanString(length, buffer); } + StringBuilder stringBuilder = new StringBuilder(length); for (int i = 0; i < length; ++i) { stringBuilder.append((char) buffer.get()); } - String ret = stringBuilder.toString(); - stringBuilder.setLength(0); - return ret; + return stringBuilder.toString(); } private String readHuffmanString(int length, ByteBuffer buffer) throws HpackException { + StringBuilder stringBuilder = new StringBuilder(length); HPackHuffman.decode(buffer, length, stringBuilder); - String ret = stringBuilder.toString(); - stringBuilder.setLength(0); - return ret; + return stringBuilder.toString(); } private String handleIndexedHeaderName(int index) throws HpackException {
webapps/docs/changelog.xml+3 −0 modified@@ -128,6 +128,9 @@ Add additional debug logging for I/O issues when communicating with the user agent. (markt) </add> + <fix> + <bug>64830</bug>: Fix concurrency issue in HPACK decoder. (markt) + </fix> </changelog> </subsection> <subsection name="Jasper">
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
49- github.com/advisories/GHSA-vvw4-rfwf-p6hxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-17527ghsaADVISORY
- security.gentoo.org/glsa/202012-23ghsavendor-advisoryx_refsource_GENTOOWEB
- www.debian.org/security/2021/dsa-4835ghsavendor-advisoryx_refsource_DEBIANWEB
- www.openwall.com/lists/oss-security/2020/12/03/3ghsamailing-listx_refsource_MLISTWEB
- bz.apache.org/bugzilla/show_bug.cgighsaWEB
- github.com/apache/tomcat/commit/21e3408671aac7e0d7e264e720cac8b1b189eb29ghsaWEB
- github.com/apache/tomcat/commit/8d2fe6894d6e258a6d615d7f786acca80e6020cbghsaWEB
- github.com/apache/tomcat/commit/d56293f816d6dc9e2b47107f208fa9e95db58c65ghsaWEB
- lists.apache.org/thread.html/r26a2a66339087fc37db3caf201e446d3e83b5cce314371e235ff1784%40%3Ccommits.tomee.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r26a2a66339087fc37db3caf201e446d3e83b5cce314371e235ff1784@%3Ccommits.tomee.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r2d6e05c5ff96f8068a59dfdb3800e9ee8d4e36ce1971783c6e5f9b20%40%3Ccommits.tomee.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r2d6e05c5ff96f8068a59dfdb3800e9ee8d4e36ce1971783c6e5f9b20@%3Ccommits.tomee.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r5a285242737ddef4d338236328aaaf3237183e1465a5efafd16b99ed%40%3Cdev.tomcat.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r5a285242737ddef4d338236328aaaf3237183e1465a5efafd16b99ed@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r8a227ac6a755a6406c1cc47dd48800e973d4cf13fe7fe68ac59c679c%40%3Cdev.tomcat.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r8a227ac6a755a6406c1cc47dd48800e973d4cf13fe7fe68ac59c679c@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r9fd47f1b03e9b41d16a5cf72659b533887267d3398d963c2fff3abfa%40%3Ccommits.tomee.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r9fd47f1b03e9b41d16a5cf72659b533887267d3398d963c2fff3abfa@%3Ccommits.tomee.apache.org%3EghsaWEB
- lists.apache.org/thread.html/ra35c8d617b17d59f400112cebadec43ad379f98198b4a9726190d7ee%40%3Cissues.guacamole.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/ra35c8d617b17d59f400112cebadec43ad379f98198b4a9726190d7ee@%3Cissues.guacamole.apache.org%3EghsaWEB
- lists.apache.org/thread.html/ra9fcdb904dd2e2256ef90b3e4ced279cd464cb0ab63a6c64df5c010d%40%3Cannounce.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/ra9fcdb904dd2e2256ef90b3e4ced279cd464cb0ab63a6c64df5c010d%40%3Cannounce.tomcat.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/ra9fcdb904dd2e2256ef90b3e4ced279cd464cb0ab63a6c64df5c010d@%3Cannounce.apache.org%3EghsaWEB
- lists.apache.org/thread.html/ra9fcdb904dd2e2256ef90b3e4ced279cd464cb0ab63a6c64df5c010d@%3Cannounce.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/raa0e9ad388c1e6fd1e301b5e080f9439f64cb4178119a86a4801cc53%40%3Cdev.tomcat.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/raa0e9ad388c1e6fd1e301b5e080f9439f64cb4178119a86a4801cc53@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rabbe6b3ae6a9795641d7a05c00d2378d5bbbe4240b7e20f09b092cce%40%3Cissues.guacamole.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rabbe6b3ae6a9795641d7a05c00d2378d5bbbe4240b7e20f09b092cce@%3Cissues.guacamole.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rbba08c4dcef3603e36276d49adda8eedbe458c5104314b4038f697e1%40%3Cusers.tomcat.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rbba08c4dcef3603e36276d49adda8eedbe458c5104314b4038f697e1@%3Cusers.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rca833c6d42b7b9ce1563488c0929f29fcc95947d86e5e740258c8937%40%3Cdev.tomcat.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rca833c6d42b7b9ce1563488c0929f29fcc95947d86e5e740258c8937@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rce5ac9a40173651d540babce59f6f3825f12c6d4e886ba00823b11e5%40%3Cannounce.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rce5ac9a40173651d540babce59f6f3825f12c6d4e886ba00823b11e5%40%3Cannounce.tomcat.apache.org%3Eghsax_refsource_MISCmailing-listx_refsource_MLISTWEB
- lists.apache.org/thread.html/rce5ac9a40173651d540babce59f6f3825f12c6d4e886ba00823b11e5@%3Cannounce.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rce5ac9a40173651d540babce59f6f3825f12c6d4e886ba00823b11e5@%3Cannounce.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rd5babd13d7a350b369b2f647b4dd32ce678af42f9aba5389df1ae6ca%40%3Cusers.tomcat.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rd5babd13d7a350b369b2f647b4dd32ce678af42f9aba5389df1ae6ca@%3Cusers.tomcat.apache.org%3EghsaWEB
- lists.debian.org/debian-lts-announce/2020/12/msg00022.htmlghsamailing-listx_refsource_MLISTWEB
- security.netapp.com/advisory/ntap-20201210-0003ghsaWEB
- security.netapp.com/advisory/ntap-20201210-0003/mitrex_refsource_CONFIRM
- tomcat.apache.org/security-10.htmlghsaWEB
- tomcat.apache.org/security-8.htmlghsaWEB
- tomcat.apache.org/security-9.htmlghsaWEB
- www.oracle.com//security-alerts/cpujul2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuApr2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuapr2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2022.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.