Apache Tomcat: HTTP/2 excess header handling DoS
Description
Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89.
The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other EOL versions may also be affected.
Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 11.0.0-M1, < 11.0.0-M21 | 11.0.0-M21 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 10.1.0-M1, < 10.1.25 | 10.1.25 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 9.0.0-M1, < 9.0.90 | 9.0.90 |
org.apache.tomcat:tomcat-coyoteMaven | >= 11.0.0-M1, < 11.0.0-M21 | 11.0.0-M21 |
org.apache.tomcat:tomcat-coyoteMaven | >= 10.1.0-M1, < 10.1.25 | 10.1.25 |
org.apache.tomcat:tomcat-coyoteMaven | >= 9.0.0-M1, < 9.0.90 | 9.0.90 |
org.apache.tomcat:tomcat-coyoteMaven | >= 8.5.0, <= 8.5.100 | — |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 8.5.0, <= 8.5.100 | — |
Affected products
52- osv-coords51 versionspkg:apk/chainguard/thingsboardpkg:apk/chainguard/thingsboard-tb-js-executorpkg:apk/chainguard/thingsboard-tb-mqtt-transportpkg:apk/chainguard/thingsboard-tb-nodepkg:apk/chainguard/thingsboard-tb-web-uipkg:apk/chainguard/tomcat-9-openjdk-11pkg:apk/chainguard/tomcat-9-openjdk-17pkg:apk/chainguard/tomcat-9-openjdk-21pkg:apk/chainguard/tomcat-9-openjdk-8pkg:apk/wolfi/thingsboardpkg:apk/wolfi/thingsboard-tb-js-executorpkg:apk/wolfi/thingsboard-tb-mqtt-transportpkg:apk/wolfi/thingsboard-tb-nodepkg:apk/wolfi/thingsboard-tb-web-uipkg:bitnami/tomcatpkg:maven/org.apache.tomcat.embed/tomcat-embed-corepkg:maven/org.apache.tomcat/tomcat-coyotepkg:rpm/almalinux/tomcatpkg:rpm/almalinux/tomcat-admin-webappspkg:rpm/almalinux/tomcat-docs-webapppkg:rpm/almalinux/tomcat-el-3.0-apipkg:rpm/almalinux/tomcat-jsp-2.3-apipkg:rpm/almalinux/tomcat-libpkg:rpm/almalinux/tomcat-servlet-4.0-apipkg:rpm/almalinux/tomcat-webappspkg:rpm/opensuse/tomcat10&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/tomcat10&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/tomcat10&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/tomcat&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/tomcat&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/tomcat&distro=openSUSE%20Tumbleweedpkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP5pkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP6pkg:rpm/suse/tomcat&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP6pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/tomcat&distro=SUSE%20Manager%20Server%204.3
< 3.7-r2+ 50 more
- (no CPE)range: < 3.7-r2
- (no CPE)range: < 3.7-r2
- (no CPE)range: < 4.2.1-r7
- (no CPE)range: < 3.7-r2
- (no CPE)range: < 3.7-r2
- (no CPE)range: < 9.0.112-r0
- (no CPE)range: < 9.0.112-r0
- (no CPE)range: < 9.0.112-r0
- (no CPE)range: < 9.0.112-r0
- (no CPE)range: < 3.7-r2
- (no CPE)range: < 3.7-r2
- (no CPE)range: < 4.2.1-r7
- (no CPE)range: < 3.7-r2
- (no CPE)range: < 3.7-r2
- (no CPE)range: >= 9.0.0, < 9.0.90
- (no CPE)range: >= 11.0.0-M1, < 11.0.0-M21
- (no CPE)range: >= 11.0.0-M1, < 11.0.0-M21
- (no CPE)range: < 1:9.0.87-1.el9_4.2
- (no CPE)range: < 1:9.0.87-1.el9_4.2
- (no CPE)range: < 1:9.0.87-1.el9_4.2
- (no CPE)range: < 1:9.0.87-1.el9_4.2
- (no CPE)range: < 1:9.0.87-1.el9_4.2
- (no CPE)range: < 1:9.0.87-1.el9_4.2
- (no CPE)range: < 1:9.0.87-1.el9_4.2
- (no CPE)range: < 1:9.0.87-1.el9_4.2
- (no CPE)range: < 10.1.25-150200.5.25.1
- (no CPE)range: < 10.1.25-150200.5.25.1
- (no CPE)range: < 10.1.25-1.1
- (no CPE)range: < 9.0.91-150200.68.1
- (no CPE)range: < 9.0.91-150200.68.1
- (no CPE)range: < 9.0.91-1.1
- (no CPE)range: < 10.1.25-150200.5.25.1
- (no CPE)range: < 10.1.25-150200.5.25.1
- (no CPE)range: < 9.0.91-150200.68.1
- (no CPE)range: < 9.0.91-150200.68.1
- (no CPE)range: < 9.0.91-150200.68.1
- (no CPE)range: < 9.0.91-150200.68.1
- (no CPE)range: < 9.0.91-150200.68.1
- (no CPE)range: < 9.0.91-150200.68.1
- (no CPE)range: < 9.0.91-150200.68.1
- (no CPE)range: < 9.0.36-3.127.1
- (no CPE)range: < 9.0.115-3.160.1
- (no CPE)range: < 9.0.91-150200.68.1
- (no CPE)range: < 9.0.91-150200.68.1
- (no CPE)range: < 9.0.91-150200.68.1
- (no CPE)range: < 9.0.36-3.127.1
- (no CPE)range: < 9.0.91-150200.68.1
- (no CPE)range: < 9.0.91-150200.68.1
- (no CPE)range: < 9.0.91-150200.68.1
- (no CPE)range: < 9.0.115-3.160.1
- (no CPE)range: < 9.0.91-150200.68.1
- Apache Software Foundation/Apache Tomcatv5Range: 11.0.0-M1
Patches
Vulnerability mechanics
References
11- github.com/advisories/GHSA-wm9w-rjj3-j356ghsaADVISORY
- lists.apache.org/thread/4kqf0bc9gxymjc2x7v3p7dvplnl77y8lghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-34750ghsaADVISORY
- github.com/apache/tomcat/commit/2344a4c0d03e307ba6b8ab6dc8b894cc8bac63f2ghsaWEB
- github.com/apache/tomcat/commit/2afae300c9ac9c0e516e2e9de580847d925365c3ghsaWEB
- github.com/apache/tomcat/commit/9fec9a82887853402833a80b584e3762c7423f5fghsaWEB
- lists.debian.org/debian-lts-announce/2025/07/msg00009.htmlghsaWEB
- security.netapp.com/advisory/ntap-20240816-0004ghsaWEB
- tomcat.apache.org/security-10.htmlghsaWEB
- tomcat.apache.org/security-11.htmlghsaWEB
- tomcat.apache.org/security-9.htmlghsaWEB
News mentions
0No linked articles in our index yet.