Response mix-up with WebSocket concurrent send and close
Description
If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a pooled object to be placed in the pool twice. This could result in subsequent connections using the same object concurrently which could result in data being returned to the wrong use and/or other errors.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Concurrent WebSocket message and close triggers use-after-free in Apache Tomcat, leading to double pool insertion and potential data leakage.
Vulnerability
A race condition exists in Apache Tomcat's WebSocket handling when a web application sends a WebSocket message concurrently with the WebSocket connection closing. This affects versions 8.5.0 to 8.5.75 and 9.0.0.M1 to 9.0.20. The error handling in this scenario can cause a pooled object to be placed in the pool twice, leading to subsequent connections using the same object concurrently [1].
Exploitation
An attacker must be able to establish a WebSocket connection and send a message while the server is closing the connection. The exploit requires precise timing to trigger the race condition. No authentication is required beyond the ability to create a WebSocket connection, although the web application must be configured to use WebSockets [1].
Impact
Successful exploitation can result in data being returned to the wrong user or other errors, potentially leading to information disclosure or data corruption. The attacker does not gain code execution or elevated privileges, but the integrity and confidentiality of data may be compromised [1].
Mitigation
Not yet disclosed in the available references. Users should monitor Apache Tomcat security advisories for fixed versions. The vulnerability is present in the affected ranges, so upgrading to a later version (e.g., 8.5.76+ or 9.0.21+) may resolve the issue, but confirmation is pending [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tomcat:tomcatMaven | >= 8.5.0, < 8.5.75 | 8.5.75 |
org.apache.tomcat:tomcatMaven | >= 9.0.0M1, < 9.0.20 | 9.0.20 |
Affected products
3- osv-coords2 versions
>= 8.5.0, < 8.5.76+ 1 more
- (no CPE)range: >= 8.5.0, < 8.5.76
- (no CPE)range: >= 8.5.0, < 8.5.75
- Apache Software Foundation/Apache Tomcatv5Range: Apache Tomcat 9 9.0.0.M1 to 9.0.20
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-h3ch-5pp2-vh6wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-25762ghsaADVISORY
- lists.apache.org/thread/6ckmjfb1k61dyzkto9vm2k5jvt4o7w7cghsax_refsource_MISCWEB
- security.netapp.com/advisory/ntap-20220629-0003ghsaWEB
- security.netapp.com/advisory/ntap-20220629-0003/mitrex_refsource_CONFIRM
- www.oracle.com/security-alerts/cpujul2022.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.