VYPR
Moderate severityNVD Advisory· Published Mar 13, 2024· Updated Oct 29, 2025

Apache Tomcat: WebSocket DoS with incomplete closing handshake

CVE-2024-23672

Description

Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.

Older, EOL versions may also be affected.

Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.tomcat:tomcat-websocketMaven
>= 11.0.0-M1, < 11.0.0-M1711.0.0-M17
org.apache.tomcat:tomcat-websocketMaven
>= 10.1.0-M1, < 10.1.1910.1.19
org.apache.tomcat:tomcat-websocketMaven
>= 9.0.0-M1, < 9.0.869.0.86
org.apache.tomcat:tomcat-websocketMaven
>= 8.5.0, < 8.5.998.5.99
org.apache.tomcat.embed:tomcat-embed-websocketMaven
>= 11.0.0-M1, < 11.0.0-M1711.0.0-M17
org.apache.tomcat.embed:tomcat-embed-websocketMaven
>= 10.1.0-M1, < 10.1.1910.1.19
org.apache.tomcat.embed:tomcat-embed-websocketMaven
>= 9.0.0-M1, < 9.0.869.0.86
org.apache.tomcat.embed:tomcat-embed-websocketMaven
>= 8.5.0, < 8.5.998.5.99

Affected products

117

Patches

Vulnerability mechanics

References

12

News mentions

0

No linked articles in our index yet.