Maven package
org.apache.tomcat/tomcat-coyote
pkg:maven/org.apache.tomcat/tomcat-coyote
Vulnerabilities (24)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-32990 | Med | 5.3 | >= 9.0.113, < 9.0.116 | 9.0.116 | Apr 9, 2026 | Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614. This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115. Users are recommended to upgrade to version 11.0.20, | |
| CVE-2026-24734 | — | >= 11.0.0-M1, < 11.0.18 | 11.0.18 | Feb 17, 2026 | Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat. When using an OCSP responder, Tomcat Native (and Tomcat's FFM port of the Tomcat Native code) did not complete verification or freshness checks on the OCSP response which could allow certificate revo | ||
| CVE-2025-66614 | — | >= 11.0.0-M1, < 11.0.15 | 11.0.15 | Feb 17, 2026 | Improper Input Validation vulnerability. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0-M1 through 9.0.112. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through | ||
| CVE-2025-48989 | Hig | 7.5 | >= 11.0.0-M1, < 11.0.10 | 11.0.10 | Aug 13, 2025 | Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may al | |
| CVE-2025-53506 | — | >= 11.0.0-M1, < 11.0.9 | 11.0.9 | Jul 10, 2025 | Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1 | ||
| CVE-2025-31650 | — | >= 9.0.76, < 9.0.104 | 9.0.104 | Apr 28, 2025 | Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resul | ||
| CVE-2024-52317 | — | >= 9.0.92, < 9.0.96 | 9.0.96 | Nov 18, 2024 | Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users. This issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from | ||
| CVE-2024-34750 | — | >= 11.0.0-M1, < 11.0.0-M21 | 11.0.0-M21 | Jul 3, 2024 | Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn | ||
| CVE-2024-24549 | — | >= 11.0.0-M1, < 11.0.0-M17 | 11.0.0-M17 | Mar 13, 2024 | Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers ha | ||
| CVE-2024-21733 | — | >= 9.0.0-M11, < 9.0.44 | 9.0.44 | Jan 19, 2024 | Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43. Other, EOL versions may also be affected. Users are recommended to upgrade to version 8.5.64 on | ||
| CVE-2023-45648 | — | >= 11.0.0-M1, < 11.0.0-M12 | 11.0.0-M12 | Oct 10, 2023 | Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header | ||
| CVE-2023-42795 | — | >= 11.0.0-M1, < 11.0.0-M12 | 11.0.0-M12 | Oct 10, 2023 | Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some part | ||
| CVE-2023-42794 | — | >= 9.0.70, < 9.0.81 | 9.0.81 | Oct 10, 2023 | Incomplete Cleanup vulnerability in Apache Tomcat. The internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased, in progress refactoring that exposed a potential denial of service on Windows if a web | ||
| CVE-2023-44487 | Hig | 7.5 | KEV | >= 11.0.0-M1, < 11.0.0-M12 | 11.0.0-M12 | Oct 10, 2023 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. |
| CVE-2023-34981 | — | >= 8.5.88, < 8.5.89 | 8.5.89 | Jun 21, 2023 | A regression in the fix for bug 66512 in Apache Tomcat 11.0.0-M5, 10.1.8, 9.0.74 and 8.5.88 meant that, if a response did not include any HTTP headers no AJP SEND_HEADERS messare woudl be sent for the response which in turn meant that at least one AJP proxy (mod_proxy_ajp) would | ||
| CVE-2023-28709 | — | >= 8.5.85, < 8.5.88 | 8.5.88 | May 22, 2023 | The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a | ||
| CVE-2023-24998 | — | >= 10.1.0-M1, < 10.1.5 | 10.1.5 | Feb 20, 2023 | Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configur | ||
| CVE-2022-42252 | — | >= 9.0.0-M1, < 9.0.68 | 9.0.68 | Nov 1, 2022 | If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Len | ||
| CVE-2020-17527 | — | >= 10.0.0-M1, < 10.0.0-M10 | 10.0.0-M10 | Dec 3, 2020 | While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent str | ||
| CVE-2020-13943 | — | >= 10.0.0-M1, < 10.0.0-M8 | 10.0.0-M8 | Oct 12, 2020 | If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that co |
- affected >= 9.0.113, < 9.0.116fixed 9.0.116
Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614. This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115. Users are recommended to upgrade to version 11.0.20,
- CVE-2026-24734Feb 17, 2026affected >= 11.0.0-M1, < 11.0.18fixed 11.0.18
Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat. When using an OCSP responder, Tomcat Native (and Tomcat's FFM port of the Tomcat Native code) did not complete verification or freshness checks on the OCSP response which could allow certificate revo
- CVE-2025-66614Feb 17, 2026affected >= 11.0.0-M1, < 11.0.15fixed 11.0.15
Improper Input Validation vulnerability. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0-M1 through 9.0.112. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through
- affected >= 11.0.0-M1, < 11.0.10fixed 11.0.10
Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may al
- CVE-2025-53506Jul 10, 2025affected >= 11.0.0-M1, < 11.0.9fixed 11.0.9
Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1
- CVE-2025-31650Apr 28, 2025affected >= 9.0.76, < 9.0.104fixed 9.0.104
Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resul
- CVE-2024-52317Nov 18, 2024affected >= 9.0.92, < 9.0.96fixed 9.0.96
Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users. This issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from
- CVE-2024-34750Jul 3, 2024affected >= 11.0.0-M1, < 11.0.0-M21fixed 11.0.0-M21
Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn
- CVE-2024-24549Mar 13, 2024affected >= 11.0.0-M1, < 11.0.0-M17fixed 11.0.0-M17
Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers ha
- CVE-2024-21733Jan 19, 2024affected >= 9.0.0-M11, < 9.0.44fixed 9.0.44
Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43. Other, EOL versions may also be affected. Users are recommended to upgrade to version 8.5.64 on
- CVE-2023-45648Oct 10, 2023affected >= 11.0.0-M1, < 11.0.0-M12fixed 11.0.0-M12
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header
- CVE-2023-42795Oct 10, 2023affected >= 11.0.0-M1, < 11.0.0-M12fixed 11.0.0-M12
Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some part
- CVE-2023-42794Oct 10, 2023affected >= 9.0.70, < 9.0.81fixed 9.0.81
Incomplete Cleanup vulnerability in Apache Tomcat. The internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased, in progress refactoring that exposed a potential denial of service on Windows if a web
- affected >= 11.0.0-M1, < 11.0.0-M12fixed 11.0.0-M12
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
- CVE-2023-34981Jun 21, 2023affected >= 8.5.88, < 8.5.89fixed 8.5.89
A regression in the fix for bug 66512 in Apache Tomcat 11.0.0-M5, 10.1.8, 9.0.74 and 8.5.88 meant that, if a response did not include any HTTP headers no AJP SEND_HEADERS messare woudl be sent for the response which in turn meant that at least one AJP proxy (mod_proxy_ajp) would
- CVE-2023-28709May 22, 2023affected >= 8.5.85, < 8.5.88fixed 8.5.88
The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a
- CVE-2023-24998Feb 20, 2023affected >= 10.1.0-M1, < 10.1.5fixed 10.1.5
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configur
- CVE-2022-42252Nov 1, 2022affected >= 9.0.0-M1, < 9.0.68fixed 9.0.68
If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Len
- CVE-2020-17527Dec 3, 2020affected >= 10.0.0-M1, < 10.0.0-M10fixed 10.0.0-M10
While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent str
- CVE-2020-13943Oct 12, 2020affected >= 10.0.0-M1, < 10.0.0-M8fixed 10.0.0-M8
If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that co
Page 1 of 2