VYPR
← All advisories
Moderate severityNVD Advisory· Published Mar 13, 2024· Updated Oct 29, 2025

Apache Tomcat: HTTP/2 header handling DoS

CVE-2024-24549

Description

Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Other, older, EOL versions may also be affected.

Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache Tomcat fails to promptly reset HTTP/2 streams that exceed header limits, allowing an attacker to cause a denial of service by sending oversized headers.

Root

Cause

CVE-2024-24549 is a denial of service vulnerability in Apache Tomcat's HTTP/2 header processing. The root cause is improper input validation: when an HTTP/2 request exceeds any of the configured limits for headers, the associated stream is not reset until after all headers have been processed [1][2]. The validation that should trigger a reset is delayed until the onHeadersComplete method, rather than being performed as soon as the limit is exceeded. This means an attacker can send a request with a large number of headers that surpass the server's limits, and the server will continue processing the entire header block before resetting the stream [4].

Exploitation

An unauthenticated remote attacker can exploit this vulnerability by sending crafted HTTP/2 requests that contain excessive headers. No special privileges or network position beyond the ability to reach the Tomcat server are required. The attack is straightforward: the attacker simply sends a request that exceeds any of the configured header limits (e.g., maximum number of headers, maximum header size). The vulnerability affects all versions of Tomcat 8.5.x up to 8.5.98, 9.0.x up to 9.0.85, 10.1.x up to 10.1.18, and 11.0.x up to 11.0.0-M16 [1][2].

Impact

A successful exploit leads to a denial of service. Because the server consumes resources (CPU, memory) to process the entire header block before resetting the stream, an attacker can cause resource exhaustion by sending multiple such requests. This can degrade performance or crash the Tomcat server, affecting availability for legitimate users. The vulnerability is rated as important severity [2].

Mitigation

Apache has released fixed versions: 11.0.0-M17, 10.1.19, 9.0.86, and 8.5.99 [1][2]. The fix moves the header validation earlier in the processing pipeline, so that streams exceeding limits are reset promptly without processing all headers [4]. Users are strongly recommended to upgrade to these versions. Older, end-of-life versions may also be affected and should be upgraded to a supported release.

References
  1. NVD - CVE-2024-24549
  2. security - CVE-2024-24549: Apache Tomcat: HTTP/2 header handling DoS
  3. Report HTTP/2 header parsing errors earlier · apache/tomcat@0cac540

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.tomcat:tomcat-coyoteMaven
>= 11.0.0-M1, < 11.0.0-M1711.0.0-M17
org.apache.tomcat:tomcat-coyoteMaven
>= 10.1.0-M1, < 10.1.1910.1.19
org.apache.tomcat:tomcat-coyoteMaven
>= 9.0.0-M1, < 9.0.869.0.86
org.apache.tomcat:tomcat-coyoteMaven
>= 8.5.0, < 8.5.998.5.99
org.apache.tomcat.embed:tomcat-embed-coreMaven
>= 8.5.0, < 8.5.998.5.99
org.apache.tomcat.embed:tomcat-embed-coreMaven
>= 9.0.0-M1, < 9.0.869.0.86
org.apache.tomcat.embed:tomcat-embed-coreMaven
>= 10.1.0-M1, < 10.1.1910.1.19
org.apache.tomcat.embed:tomcat-embed-coreMaven
>= 11.0.0-M1, < 11.0.0-M1711.0.0-M17

Affected products

119

Patches

4
d07c82194edb

Report HTTP/2 header parsing errors earlier

https://github.com/apache/tomcatMark ThomasJan 25, 2024via ghsa
commit
2 files changed · +11 5
  • java/org/apache/coyote/http2/Http2Parser.java+6 5 modified
    @@ -283,6 +283,9 @@ protected void readHeadersFrame(int streamId, int flags, int payloadSize, ByteBu
 
         swallowPayload(streamId, FrameType.HEADERS.getId(), padLength, true, buffer);
 
+        // Validate the headers so far
+        hpackDecoder.getHeaderEmitter().validateHeaders();
+
         if (Flags.isEndOfHeaders(flags)) {
             onHeadersComplete(streamId);
         } else {
@@ -446,6 +449,9 @@ protected void readContinuationFrame(int streamId, int flags, int payloadSize, B
 
         readHeaderPayload(streamId, payloadSize, buffer);
 
+        // Validate the headers so far
+        hpackDecoder.getHeaderEmitter().validateHeaders();
+
         if (endOfHeaders) {
             headersCurrentStream = -1;
             onHeadersComplete(streamId);
@@ -637,11 +643,6 @@ protected void onHeadersComplete(int streamId) throws Http2Exception {
                     Http2Error.COMPRESSION_ERROR);
         }
 
-        // Delay validation (and triggering any exception) until this point
-        // since all the headers still have to be read if a StreamException is
-        // going to be thrown.
-        hpackDecoder.getHeaderEmitter().validateHeaders();
-
         synchronized (output) {
             output.headersEnd(streamId, headersEndStream);
  • webapps/docs/changelog.xml+5 0 modified
    @@ -171,6 +171,11 @@
         <code>Content-Type</code> value to improve performance by reducing
         repeated <code>byte[]</code> to <code>String</code> conversions. (markt)
       </fix>
+      <fix>
+        Improve error reporting to HTTP/2 clients for header processing errors
+        by reporting problems at the end of the frame where the error was
+        detected rather than at the end of the headers. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">
8e03be9f2698

Report HTTP/2 header parsing errors earlier

https://github.com/apache/tomcatMark ThomasJan 25, 2024via ghsa
commit
2 files changed · +11 5
  • java/org/apache/coyote/http2/Http2Parser.java+6 5 modified
    @@ -283,6 +283,9 @@ protected void readHeadersFrame(int streamId, int flags, int payloadSize, ByteBu
 
         swallowPayload(streamId, FrameType.HEADERS.getId(), padLength, true, buffer);
 
+        // Validate the headers so far
+        hpackDecoder.getHeaderEmitter().validateHeaders();
+
         if (Flags.isEndOfHeaders(flags)) {
             onHeadersComplete(streamId);
         } else {
@@ -446,6 +449,9 @@ protected void readContinuationFrame(int streamId, int flags, int payloadSize, B
 
         readHeaderPayload(streamId, payloadSize, buffer);
 
+        // Validate the headers so far
+        hpackDecoder.getHeaderEmitter().validateHeaders();
+
         if (endOfHeaders) {
             headersCurrentStream = -1;
             onHeadersComplete(streamId);
@@ -637,11 +643,6 @@ protected void onHeadersComplete(int streamId) throws Http2Exception {
                     Http2Error.COMPRESSION_ERROR);
         }
 
-        // Delay validation (and triggering any exception) until this point
-        // since all the headers still have to be read if a StreamException is
-        // going to be thrown.
-        hpackDecoder.getHeaderEmitter().validateHeaders();
-
         synchronized (output) {
             output.headersEnd(streamId, headersEndStream);
  • webapps/docs/changelog.xml+5 0 modified
    @@ -171,6 +171,11 @@
         <code>Content-Type</code> value to improve performance by reducing
         repeated <code>byte[]</code> to <code>String</code> conversions. (markt)
       </fix>
+      <fix>
+        Improve error reporting to HTTP/2 clients for header processing errors
+        by reporting problems at the end of the frame where the error was
+        detected rather than at the end of the headers. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">
810f49d5ff6d

Report HTTP/2 header parsing errors earlier

https://github.com/apache/tomcatMark ThomasJan 25, 2024via ghsa
commit
2 files changed · +11 5
  • java/org/apache/coyote/http2/Http2Parser.java+6 5 modified
    @@ -266,6 +266,9 @@ protected void readHeadersFrame(int streamId, int flags, int payloadSize, ByteBu
 
         swallowPayload(streamId, FrameType.HEADERS.getId(), padLength, true, buffer);
 
+        // Validate the headers so far
+        hpackDecoder.getHeaderEmitter().validateHeaders();
+
         if (Flags.isEndOfHeaders(flags)) {
             onHeadersComplete(streamId);
         } else {
@@ -429,6 +432,9 @@ protected void readContinuationFrame(int streamId, int flags, int payloadSize, B
 
         readHeaderPayload(streamId, payloadSize, buffer);
 
+        // Validate the headers so far
+        hpackDecoder.getHeaderEmitter().validateHeaders();
+
         if (endOfHeaders) {
             headersCurrentStream = -1;
             onHeadersComplete(streamId);
@@ -620,11 +626,6 @@ protected void onHeadersComplete(int streamId) throws Http2Exception {
                     Http2Error.COMPRESSION_ERROR);
         }
 
-        // Delay validation (and triggering any exception) until this point
-        // since all the headers still have to be read if a StreamException is
-        // going to be thrown.
-        hpackDecoder.getHeaderEmitter().validateHeaders();
-
         synchronized (output) {
             output.headersEnd(streamId, headersEndStream);
  • webapps/docs/changelog.xml+5 0 modified
    @@ -182,6 +182,11 @@
         <code>Content-Type</code> value to improve performance by reducing
         repeated <code>byte[]</code> to <code>String</code> conversions. (markt)
       </fix>
+      <fix>
+        Improve error reporting to HTTP/2 clients for header processing errors
+        by reporting problems at the end of the frame where the error was
+        detected rather than at the end of the headers. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">
0cac540a8822

Report HTTP/2 header parsing errors earlier

https://github.com/apache/tomcatMark ThomasJan 25, 2024via ghsa
commit
2 files changed · +11 5
  • java/org/apache/coyote/http2/Http2Parser.java+6 5 modified
    @@ -265,6 +265,9 @@ private void readHeadersFrame(int streamId, int flags, int payloadSize) throws H
 
         swallowPayload(streamId, FrameType.HEADERS.getId(), padLength, true);
 
+        // Validate the headers so far
+        hpackDecoder.getHeaderEmitter().validateHeaders();
+
         if (Flags.isEndOfHeaders(flags)) {
             onHeadersComplete(streamId);
         } else {
@@ -405,6 +408,9 @@ private void readContinuationFrame(int streamId, int flags, int payloadSize) thr
 
         readHeaderPayload(streamId, payloadSize);
 
+        // Validate the headers so far
+        hpackDecoder.getHeaderEmitter().validateHeaders();
+
         if (endOfHeaders) {
             headersCurrentStream = -1;
             onHeadersComplete(streamId);
@@ -576,11 +582,6 @@ private void onHeadersComplete(int streamId) throws Http2Exception {
                     Http2Error.COMPRESSION_ERROR);
         }
 
-        // Delay validation (and triggering any exception) until this point
-        // since all the headers still have to be read if a StreamException is
-        // going to be thrown.
-        hpackDecoder.getHeaderEmitter().validateHeaders();
-
         output.headersEnd(streamId, headersEndStream);
 
         if (headersEndStream) {
  • webapps/docs/changelog.xml+5 0 modified
    @@ -165,6 +165,11 @@
         <code>Content-Type</code> value to improve performance by reducing
         repeated <code>byte[]</code> to <code>String</code> conversions. (markt)
       </fix>
+      <fix>
+        Improve error reporting to HTTP/2 clients for header processing errors
+        by reporting problems at the end of the frame where the error was
+        detected rather than at the end of the headers. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

12

News mentions

0

No linked articles in our index yet.