Apache Tomcat^®

This page lists all security vulnerabilities fixed in released versions of Apache Tomcat^® 11.x. Each vulnerability is given a security impact rating by the Apache Tomcat security team — please note that this rating may vary from platform to platform. We also list the versions of Apache Tomcat the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.

Note: Vulnerabilities that are not Tomcat vulnerabilities but have either been incorrectly reported against Tomcat or where Tomcat provides a workaround are listed at the end of this page.

Please note that binary patches are never provided. If you need to apply a source code patch, use the building instructions for the Apache Tomcat version that you are using. For Tomcat 11.0.x those are building.html and BUILDING.txt. Both files can be found in the webapps/docs subdirectory of a binary distribution. You may also want to review the Security Considerations page in the documentation.

If you need help on building or configuring Tomcat or other help on following the instructions to mitigate the known vulnerabilities listed here, please send your questions to the public Tomcat Users mailing list

If you have encountered an unlisted security vulnerability or other unexpected behaviour that has security impact, or if the descriptions here are incomplete, please report them privately to the Tomcat Security Team. Thank you.

• Fixed in Apache Tomcat 11.0.9
• Fixed in Apache Tomcat 11.0.8
• Fixed in Apache Tomcat 11.0.7
• Fixed in Apache Tomcat 11.0.6
• Fixed in Apache Tomcat 11.0.3
• Fixed in Apache Tomcat 11.0.2
• Fixed in Apache Tomcat 11.0.1
• Fixed in Apache Tomcat 11.0.0
• Fixed in Apache Tomcat 11.0.0-M21
• Fixed in Apache Tomcat 11.0.0-M17
• Fixed in Apache Tomcat 11.0.0-M12
• Fixed in Apache Tomcat 11.0.0-M11
• Fixed in Apache Tomcat 11.0.0-M6
• Fixed in Apache Tomcat 11.0.0-M5
• Fixed in Apache Tomcat 11.0.0-M3

Low: DoS due to overflow in file upload limit CVE-2025-52520

For some unlikely configurations of multipart upload, an Integer Overflow vulnerability could lead to a DoS via bypassing of size limits.

This was fixed with commit a51e4bed.

The issue was made public on 10 July 2025.

Affects: 11.0.0-M1 to 11.0.8

Important: DoS via excessive HTTP/2 streams CVE-2025-53506

An uncontrolled resource consumption vulnerability if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams could result in a DoS.

This was fixed with commit be8f330f.

The issue was made public on 10 July 2025.

Affects: 11.0.0-M1 to 11.0.8

Moderate: Security constraint bypass for PreResources and PostResources CVE-2025-49125

When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed.

This was fixed with commit d94bd36f.

The issue was made public on 16 June 2025.

Affects: 11.0.0-M1 to 11.0.7

Low: Side-loading via Tomcat installer for Windows CVE-2025-49124

During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path. This enabled a side-loading vulnerability.

This was fixed with commit c56456cd.

The issue was made public on 16 June 2025.

Affects: 11.0.0-M1 to 11.0.7

Important: DoS in multipart upload CVE-2025-48988

Tomcat used the same limit for both request parameters and parts in a multipart request. Since uploaded parts also include headers which must be retained, processing multipart requests can result in significantly more memory usage. A specially crafted request that used a large number of parts could trigger excessive memory usage leading to a DoS. The maximum number of parts is now configurable (maxPartCount on the Connector) with a default of 10 parts.

This was fixed with commit 2b0ab14f.

The issue was made public on 16 June 2025.

Affects: 11.0.0-M1 to 11.0.7

Important: DoS in Commons FileUpload CVE-2025-48976

Apache Commons FileUpload provided a hard-coded limit of 10kB for the size of the headers associated with a multipart request. A specially crafted request that used a large number of parts with large headers could trigger excessive memory usage leading to a DoS. This limit is now configurable (maxPartHeaderSize on the Connector) with a default of 512 bytes.

This was fixed with commit 74f69ffa.

The issue was made public on 16 June 2025.

Affects: 11.0.0-M1 to 11.0.7

Low: CGI security constraint bypass CVE-2025-46701

When running on a case insensitive file system with security constraints configured for the pathInfo component of a URL that mapped to the CGI servlet, it was possible to bypass those security constraints with a specially crafted URL.

This was fixed with commits fab7247d and 0f01966e.

The issue was made public on 29 May 2025.

Affects: 11.0.0-M1 to 11.0.6

Low: Rewrite rule bypass CVE-2025-31651

For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced security constraints, those constraints could be bypassed.

This was fixed with commit fbecc915.

The issue was made public on 28 April 2025.

Affects: 11.0.0-M1 to 11.0.5

Important: Denial of Service via invalid HTTP priority header CVE-2025-31650

Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service.

This was fixed with commits 75554da2, f619e6a0 and ded0285b.

The issue was made public on 28 April 2025.

Affects: 11.0.0-M2 to 11.0.5

Important: Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet - CVE-2025-24813

The original implementation of partial PUT used a temporary file based on the user provided file name and path with the path separator replaced by ".".

If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files:

• writes enabled for the default servlet (disabled by default)
• support for partial PUT (enabled by default)
• a target URL for security sensitive uploads that is a sub-directory of a target URL for public uploads
• attacker knowledge of the names of security sensitive files being uploaded
• the security sensitive files also being uploaded via partial PUT

If all of the following were true, a malicious user was able to perform remote code execution:

• writes enabled for the default servlet (disabled by default)
• support for partial PUT (enabled by default)
• application was using Tomcat's file based session persistence with the default storage location
• application included a library that may be leveraged in a deserialization attack

This was fixed with commit 0a668e0c.

The issue was made public on 10 March 2025.

Affects: 11.0.0-M1 to 11.0.2

Important: Remote Code Execution via write enabled Default Servlet. Mitigation for CVE-2024-50379 was incomplete - CVE-2024-56337

The previous mitigation for CVE-2024-50379 was incomplete. In addition to upgrading to 11.0.2 or later, users running Tomcat on a case insensitive file system with the default servlet write enabled may need additional configuration depending on the version of Java being used:

• running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false)
• running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed)

The issue was made public on 20 December 2024.

Affects: 11.0.0-M1 to 11.0.1

Low: DoS in examples web application CVE-2024-54677

Numerous examples in the examples web application did not place limits on uploaded data enabling an OutOfMemoryError to be triggered causing a denial of service.

This was fixed with commits 4f023660, c0a23927, b1f65728, a95bf2b0, 4a335c6d, 72281466 and cb170768.

The issue was made public on 17 December 2024.

Affects: 11.0.0-M1 to 11.0.1

Important: Remote Code Execution via write enabled Default Servlet CVE-2024-50379

If the default servlet is write enabled (readonly initialisation parameter set to the non-default value of false) for a case insensitive file system, concurrent read and upload under load of the same file can bypass Tomcat's case sensitivity checks and cause an uploaded file to be treated as a JSP leading to remote code execution.

This was fixed with commits cc7a98b5 and 684247ae.

The issue was made public on 17 December 2024.

Affects: 11.0.0-M1 to 11.0.1

Important: XSS in generated JSPs CVE-2024-52318

The fix for improvement 69333 caused pooled JSP tags not to be released after use which in turn could cause output of some tags not to escaped as expected. This unescaped output could lead to XSS.

This was fixed with commit 8d1fc473.

The issue was made public on 18 November 2024.

Affects: 11.0.0

Important: Request and/or response mix-up CVE-2024-52317

Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users.

This was fixed with commit 9e840cca.

This issue was identified by the Tomcat Security Team on 1 October 2024. The issue was made public on 18 November 2024.

Affects: 11.0.0-M23 to 11.0.0-M26

Low: Authentication Bypass CVE-2024-52316

If Tomcat was configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not have failed, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way.

This was fixed with commit 6d097a66.

This issue was identified by the Tomcat Security Team on 19 September 2024. The issue was made public on 18 November 2024.

Affects: 11.0.0-M1 to 11.0.0-M26

Important: Denial of Service CVE-2024-34750

When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed.

This was fixed with commit 2344a4c0.

This issue was reported to the Tomcat Security Team on 4 May 2024. The issue was made public on 3 July 2024.

Affects: 11.0.0-M1 to 11.0.0-M20

Important: Denial of Service CVE-2024-38286

Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.

This was fixed with commit 31978626.

This issue was reported to the Tomcat Security Team on 4 June 2024. The issue was made public on 23 September 2024.

Affects: 11.0.0-M1 to 11.0.0-M20

Important: Denial of Service CVE-2024-23672

It was possible for a WebSocket client to keep a WebSocket connection open leading to increased resource consumption.

This was fixed with commit b0e3b1bd.

This issue was identified by the Tomcat Security Team on 17 January 2024. The issue was made public on 13 March 2024.

Affects: 11.0.0-M1 to 11.0.0-M16

Important: Denial of Service CVE-2024-24549

When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.

This was fixed with commit 810f49d5.

This issue was reported to the Tomcat Security Team on 24 January 2024. The issue was made public on 13 March 2024.

Affects: 11.0.0-M1 to 11.0.0-M16

Important: Request smuggling CVE-2023-45648

Tomcat did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy.

This was fixed with commit eb5c094e.

This issue was reported to the Tomcat Security Team on 12 September 2023. The issue was made public on 10 October 2023.

Affects: 11.0.0-M1 to 11.0.0-M11

Important: Denial of Service CVE-2023-44487

Tomcat's HTTP/2 implementation was vulnerable to the rapid reset attack. The denial of service typically manifested as an OutOfMemoryError.

This was fixed with commit 9cdfe25b.

This issue was reported to the Tomcat Security Team on 14 September 2023. The issue was made public on 10 October 2023.

Affects: 11.0.0-M1 to 11.0.0-M11

Important: Information Disclosure CVE-2023-42795

When recycling various internal objects, including the request and the response, prior to re-use by the next request/response, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next.

This was fixed with commit d6db22e4.

This issue was identified by the Tomcat Security Team on 13 September 2023. The issue was made public on 10 October 2023.

Affects: 11.0.0-M1 to 11.0.0-M11

Moderate: Open redirect CVE-2023-41080

If the ROOT (default) web application is configured to use FORM authentication then it is possible that a specially crafted URL could be used to trigger a redirect to an URL of the attackers choice.

This was fixed with commit e3703c9a.

This issue was reported to the Tomcat Security Team on 17 August 2023. The issue was made public on 22 August 2023.

Affects: 11.0.0-M1 to 11.0.0-M10

Important: Request smuggling CVE-2023-46589

Tomcat did not correctly parse HTTP trailer headers. A specially crafted trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy.

This was fixed with commit 6f181e10.

This issue was reported to the Tomcat Security Team on 20 October 2023. The issue was made public on 28 November 2023.

Affects: 11.0.0-M1 to 11.0.0-M10

Important: Information disclosure CVE-2023-34981

The fix for bug 66512 introduced a regression that was fixed as bug 66591. The regression meant that, if a response did not have any HTTP headers set, no AJP SEND_HEADERS message would be sent which in turn meant that at least one AJP based proxy (mod_proxy_ajp) would use the response headers from the previous request for the current request leading to an information leak.

This was fixed with commit 739c7381.

This issue was reported to the Tomcat Security Team on 24 May 2023. The issue was made public on 21 June 2023.

Affects: 11.0.0-M5

Moderate: Apache Tomcat denial of service CVE-2023-28709

The fix for CVE-2023-24998 was incomplete. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.

This was fixed with commit d53d8e7f.

This issue was reported to the Tomcat Security Team on 13 March 2023. The issue was made public on 22 May 2023.

Affects: 11.0.0-M2 to 11.0.0-M4

Important: Apache Tomcat information disclosure CVE-2023-28708

When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Tomcat did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.

This was fixed with commit c64d496d.

66471 was reported publicly on 8 February 2023. The security implications were identified by the Tomcat Security team on 9 February 2023. The issue was made public on 22 March 2023.

Affects: 11.0.0-M1 to 11.0.0-M2

Note: The issue below was fixed in Apache Tomcat 11.0.0-M2 but the release vote for the 11.0.0-M2 release candidate did not pass. Therefore, although users must download 11.0.0-M3 to obtain a version that includes a fix for these issues, version 11.0.0-M2 is not included in the list of affected versions.

Important: Apache Tomcat denial of service CVE-2023-24998

Apache Tomcat uses a packaged renamed copy of Apache Commons FileUpload to provide the file upload functionality defined in the Jakarta Servlet specification. Apache Tomcat was, therefore, also vulnerable to the Apache Commons FileUpload vulnerability CVE-2023-24998 as there was no limit to the number of request parts processed. This resulted in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.

This was fixed with commit 063e2e81.

This issue was reported to the Apache Tomcat Security team on 11 December 2022. The issue was made public on 20 February 2023.

Affects: 11.0.0-M1