Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

cve-2025-53506
Back to All
CVE

CVE-2025-53506

Apache Tomcat Coyote vulnerable to Denial of Service via excessive HTTP/2 streams

Description

Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100.

Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.

Base CVSS

7.5

EPSS Score

0.19%

Introduced Version

8.5.0

Fix Available

11.0.9,9.0.107,10.1.43

Available Patches

Package
CVEs Fixed
Lines of Code Changed
Package Name
org.apache.tomcat.embed:tomcat-embed-core
11.0.2
7 CVES Fixed
C
0
H
7
M
0
L
0
Code Changed
+397
-159

References

https://nvd.nist.gov/vuln/detail/CVE-2025-53506
https://github.com/apache/tomcat/commit/434772930f362145516dd60681134e7f0cf8115b
https://lists.apache.org/thread/p09775q0rd185m6zz98krg0fp45j8kr0
https://github.com/apache/tomcat/commit/2aa6261276ebe50b99276953591e3a2be7898bdb
https://github.com/apache/tomcat/commit/be8f330f83ceddaf3baeed57522e571572b6b99b
https://github.com/apache/tomcat

AppSec for the Software Development Revolution

Endor Labs builds a complete graph of your software estate, so teams can pinpoint and fix critical risks in complex, dependency-rich code—whether it was written by humans or AI.

Welcome to the resistance
Oops! Something went wrong, please try again.