Vulnerability cyber

Apache

Jul 16, 2025 1 min read
Apache

A newly disclosed flaw in Apache Tomcat’s Coyote engine, tracked as CVE-2025-53506, has been identified. The vulnerability allows a remote attacker to exhaust the server’s thread pool and force the container into a prolonged denial-of-service state by repeatedly initiating streams that are never closed. This issue affects various maintained branches and has been scored 6.3 by CVSS v4. Modern reverse proxies can mitigate the attack by enforcing a SETTINGS-ack timeout or hard stream ceiling until full patch deployment.

Source: https://cybersecuritynews.com/apache-tomcat-coyote-vulnerability/

TPRM report: https://scoringcyber.rankiteo.com/company/the-apache-software-foundation

"id": "the754071625",
"linkid": "the-apache-software-foundation",
"type": "Vulnerability",
"date": "7/2025",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"
{'affected_entities': [{'industry': 'Various',
                        'location': 'Global',
                        'name': 'Apache Tomcat users',
                        'type': 'Software users'}],
 'attack_vector': 'Network',
 'description': 'A flaw in Apache Tomcat’s Coyote engine allows a remote '
                'attacker to exhaust the server’s thread pool and force a '
                'denial-of-service state by exploiting a race condition in '
                'HTTP/2 stream handling.',
 'impact': {'downtime': 'High',
            'operational_impact': 'High',
            'systems_affected': 'Apache Tomcat servers'},
 'initial_access_broker': {'entry_point': 'TCP port 443'},
 'lessons_learned': 'Ensuring timely updates and monitoring of HTTP/2 stream '
                    'limits can prevent such vulnerabilities.',
 'motivation': 'Disruption of service',
 'post_incident_analysis': {'corrective_actions': ['Upgrade to patched '
                                                   'versions',
                                                   'Enforce SETTINGS-ack '
                                                   'timeout or hard stream '
                                                   'ceiling'],
                            'root_causes': 'Race condition introduced during '
                                           'the refactor that added dynamic '
                                           'stream limits'},
 'recommendations': ['Upgrade to the latest patched versions',
                     'Enforce SETTINGS-ack timeout or hard stream ceiling at '
                     'the reverse-proxy layer'],
 'references': [{'source': 'National Vulnerability Database'},
                {'source': 'GitHub analysts'}],
 'response': {'containment_measures': ['Disable HTTP/2',
                                       'Limit maxConcurrentStreams at the '
                                       'reverse-proxy layer'],
              'remediation_measures': ['Upgrade to patched versions',
                                       'Enforce SETTINGS-ack timeout or hard '
                                       'stream ceiling']},
 'title': 'Apache Tomcat Coyote Engine Vulnerability CVE-2025-53506',
 'type': 'Denial of Service (DoS)',
 'vulnerability_exploited': 'CVE-2025-53506'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.