Maven package

org.apache.tomcat/tomcat-coyote

pkg:maven/org.apache.tomcat/tomcat-coyote

Vulnerabilities (22)

CVE	Sev	CVSS	KEV	Affected versions	Fixed in	Published	Description
CVE-2026-32990	Med	5.3		>= 9.0.113, < 9.0.116	9.0.116	Apr 9, 2026	Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614. This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115. Users are recommended to upgrade to version 11.0.20,
CVE-2026-24734		—		>= 11.0.0-M1, < 11.0.18	11.0.18	Feb 17, 2026	Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat. When using an OCSP responder, Tomcat Native (and Tomcat's FFM port of the Tomcat Native code) did not complete verification or freshness checks on the OCSP response which could allow certificate revo
CVE-2025-48989	Hig	7.5		>= 11.0.0-M1, < 11.0.10	11.0.10	Aug 13, 2025	Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may al
CVE-2025-53506		—		>= 11.0.0-M1, < 11.0.9	11.0.9	Jul 10, 2025	Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1
CVE-2025-31650		—		>= 9.0.76, < 9.0.104	9.0.104	Apr 28, 2025	Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resul
CVE-2024-52317		—		>= 9.0.92, < 9.0.96	9.0.96	Nov 18, 2024	Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users. This issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from
CVE-2024-34750		—		>= 11.0.0-M1, < 11.0.0-M21	11.0.0-M21	Jul 3, 2024	Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn
CVE-2024-24549		—		>= 11.0.0-M1, < 11.0.0-M17	11.0.0-M17	Mar 13, 2024	Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers ha
CVE-2024-21733		—		>= 9.0.0-M11, < 9.0.44	9.0.44	Jan 19, 2024	Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43. Other, EOL versions may also be affected. Users are recommended to upgrade to version 8.5.64 on
CVE-2023-42795		—		>= 11.0.0-M1, < 11.0.0-M12	11.0.0-M12	Oct 10, 2023	Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some part
CVE-2023-42794		—		>= 9.0.70, < 9.0.81	9.0.81	Oct 10, 2023	Incomplete Cleanup vulnerability in Apache Tomcat. The internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased, in progress refactoring that exposed a potential denial of service on Windows if a web
CVE-2023-44487	Hig	7.5	KEV	>= 11.0.0-M1, < 11.0.0-M12	11.0.0-M12	Oct 10, 2023	The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CVE-2023-34981		—		>= 8.5.88, < 8.5.89	8.5.89	Jun 21, 2023	A regression in the fix for bug 66512 in Apache Tomcat 11.0.0-M5, 10.1.8, 9.0.74 and 8.5.88 meant that, if a response did not include any HTTP headers no AJP SEND_HEADERS messare woudl be sent for the response which in turn meant that at least one AJP proxy (mod_proxy_ajp) would
CVE-2023-28709		—		>= 8.5.85, < 8.5.88	8.5.88	May 22, 2023	The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a
CVE-2023-24998		—		>= 10.1.0-M1, < 10.1.5	10.1.5	Feb 20, 2023	Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configur
CVE-2022-42252		—		>= 9.0.0-M1, < 9.0.68	9.0.68	Nov 1, 2022	If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Len
CVE-2020-17527		—		>= 10.0.0-M1, < 10.0.0-M10	10.0.0-M10	Dec 3, 2020	While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent str
CVE-2020-13943		—		>= 10.0.0-M1, < 10.0.0-M8	10.0.0-M8	Oct 12, 2020	If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that co
CVE-2017-5651	Cri	9.8		>= 9.0.0.M1, < 9.0.0.M19	9.0.0.M19	Apr 17, 2017	In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file processing. If the send file processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This
CVE-2016-6816	Hig	7.1		>= 9.0.0.M1, < 9.0.0.M12	9.0.0.M12	Mar 20, 2017	The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characte

CVE-2026-32990MedApr 9, 2026
affected >= 9.0.113, < 9.0.116fixed 9.0.116
Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614. This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115. Users are recommended to upgrade to version 11.0.20,
CVE-2026-24734Feb 17, 2026
affected >= 11.0.0-M1, < 11.0.18fixed 11.0.18
Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat. When using an OCSP responder, Tomcat Native (and Tomcat's FFM port of the Tomcat Native code) did not complete verification or freshness checks on the OCSP response which could allow certificate revo
CVE-2025-48989HigAug 13, 2025
affected >= 11.0.0-M1, < 11.0.10fixed 11.0.10
Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may al
CVE-2025-53506Jul 10, 2025
affected >= 11.0.0-M1, < 11.0.9fixed 11.0.9
Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1
CVE-2025-31650Apr 28, 2025
affected >= 9.0.76, < 9.0.104fixed 9.0.104
Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resul
CVE-2024-52317Nov 18, 2024
affected >= 9.0.92, < 9.0.96fixed 9.0.96
Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users. This issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from
CVE-2024-34750Jul 3, 2024
affected >= 11.0.0-M1, < 11.0.0-M21fixed 11.0.0-M21
Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn
CVE-2024-24549Mar 13, 2024
affected >= 11.0.0-M1, < 11.0.0-M17fixed 11.0.0-M17
Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers ha
CVE-2024-21733Jan 19, 2024
affected >= 9.0.0-M11, < 9.0.44fixed 9.0.44
Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43. Other, EOL versions may also be affected. Users are recommended to upgrade to version 8.5.64 on
CVE-2023-42795Oct 10, 2023
affected >= 11.0.0-M1, < 11.0.0-M12fixed 11.0.0-M12
Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some part
CVE-2023-42794Oct 10, 2023
affected >= 9.0.70, < 9.0.81fixed 9.0.81
Incomplete Cleanup vulnerability in Apache Tomcat. The internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased, in progress refactoring that exposed a potential denial of service on Windows if a web
CVE-2023-44487HigKEVOct 10, 2023
affected >= 11.0.0-M1, < 11.0.0-M12fixed 11.0.0-M12
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CVE-2023-34981Jun 21, 2023
affected >= 8.5.88, < 8.5.89fixed 8.5.89
A regression in the fix for bug 66512 in Apache Tomcat 11.0.0-M5, 10.1.8, 9.0.74 and 8.5.88 meant that, if a response did not include any HTTP headers no AJP SEND_HEADERS messare woudl be sent for the response which in turn meant that at least one AJP proxy (mod_proxy_ajp) would
CVE-2023-28709May 22, 2023
affected >= 8.5.85, < 8.5.88fixed 8.5.88
The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a
CVE-2023-24998Feb 20, 2023
affected >= 10.1.0-M1, < 10.1.5fixed 10.1.5
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configur
CVE-2022-42252Nov 1, 2022
affected >= 9.0.0-M1, < 9.0.68fixed 9.0.68
If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Len
CVE-2020-17527Dec 3, 2020
affected >= 10.0.0-M1, < 10.0.0-M10fixed 10.0.0-M10
While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent str
CVE-2020-13943Oct 12, 2020
affected >= 10.0.0-M1, < 10.0.0-M8fixed 10.0.0-M8
If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that co
CVE-2017-5651CriApr 17, 2017
affected >= 9.0.0.M1, < 9.0.0.M19fixed 9.0.0.M19
In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file processing. If the send file processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This
CVE-2016-6816HigMar 20, 2017
affected >= 9.0.0.M1, < 9.0.0.M12fixed 9.0.0.M12
The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characte

Page 1 of 2