BIT-tomcat-2025-53506
Uncontrolled Resource Consumption vulnerability in tomcat-coyote (Maven)
What is BIT-tomcat-2025-53506 About?
This vulnerability in Apache Tomcat allows for Uncontrolled Resource Consumption affecting HTTP/2 clients. It occurs when a client fails to acknowledge the initial settings frame that reduces the maximum permitted concurrent streams, leading to resource exhaustion and Denial of Service. Exploitation is remote and unauthenticated.
Affected Software
- org.apache.tomcat:tomcat-coyote
- >=9.0.0.M1, <9.0.107
- >=10.1.0-M1, <10.1.43
- >=8.5.0, <=8.5.100
- >=11.0.0-M1, <11.0.9
- org.apache.tomcat.embed:tomcat-embed-core
- >=9.0.0.M1, <9.0.107
- >=10.1.0-M1, <10.1.43
- >=8.5.0, <=8.5.100
- >=11.0.0-M1, <11.0.9
Technical Details
The vulnerability arises in Apache Tomcat's HTTP/2 implementation. When an HTTP/2 client connects, the server sends an initial settings frame that, among other things, defines the maximum number of concurrent streams allowed. If a malicious or misbehaving HTTP/2 client deliberately does not acknowledge this initial settings frame, the server's internal state regarding stream limits may not be updated correctly. This allows the client to open an excessive number of streams beyond the intended reduced limit, leading to uncontrolled resource consumption (e.g., memory, CPU) on the Tomcat server, culminating in a Denial of Service.
What is the Impact of BIT-tomcat-2025-53506?
Successful exploitation may allow attackers to cause Uncontrolled Resource Consumption, leading to a Denial of Service and making the service unavailable to legitimate users.
What is the Exploitability of BIT-tomcat-2025-53506?
Exploitation of this vulnerability is remote and requires no authentication. The complexity is relatively low, as it primarily involves an HTTP/2 client deliberately failing to acknowledge a specific network frame. There are no special prerequisites beyond the target server running an affected version of Apache Tomcat with HTTP/2 enabled. The attacker would initiate an HTTP/2 connection and then specifically ignore or manipulate the acknowledgement of the initial settings frame related to stream limits, continuously opening new streams to exhaust server resources. This makes it a high-risk factor due to the ease of exploitation by any unauthenticated remote client.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-tomcat-2025-53506?
Available Upgrade Options
- org.apache.tomcat.embed:tomcat-embed-core
- >=9.0.0.M1, <9.0.107 → Upgrade to 9.0.107
- org.apache.tomcat.embed:tomcat-embed-core
- >=10.1.0-M1, <10.1.43 → Upgrade to 10.1.43
- org.apache.tomcat.embed:tomcat-embed-core
- >=11.0.0-M1, <11.0.9 → Upgrade to 11.0.9
- org.apache.tomcat:tomcat-coyote
- >=9.0.0.M1, <9.0.107 → Upgrade to 9.0.107
- org.apache.tomcat:tomcat-coyote
- >=10.1.0-M1, <10.1.43 → Upgrade to 10.1.43
- org.apache.tomcat:tomcat-coyote
- >=11.0.0-M1, <11.0.9 → Upgrade to 11.0.9
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.debian.org/debian-lts-announce/2025/07/msg00009.html
- https://lists.debian.org/debian-lts-announce/2025/07/msg00009.html
- https://github.com/apache/tomcat/commit/be8f330f83ceddaf3baeed57522e571572b6b99b
- http://www.openwall.com/lists/oss-security/2025/07/10/13
- http://www.openwall.com/lists/oss-security/2025/07/10/13
- https://github.com/apache/tomcat/commit/434772930f362145516dd60681134e7f0cf8115b
- https://lists.apache.org/thread/p09775q0rd185m6zz98krg0fp45j8kr0
- https://lists.apache.org/thread/p09775q0rd185m6zz98krg0fp45j8kr0
- https://github.com/apache/tomcat/commit/2aa6261276ebe50b99276953591e3a2be7898bdb
- https://nvd.nist.gov/vuln/detail/CVE-2025-53506
What are Similar Vulnerabilities to BIT-tomcat-2025-53506?
Similar Vulnerabilities: CVE-2023-44487 , CVE-2023-24998 , CVE-2022-45133 , CVE-2021-3449 , CVE-2020-1938
