VulnerableCode Package Details - pkg:apache/tomcat@11.0.0-M2

Search for packages

Vulnerability	Summary	Fixed by
VCID-2zq1-na8s-mfdd Aliases: CVE-2025-31650 GHSA-3p2h-wqq4-wf4h	Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.90 though 8.5.100. Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.	11.0.6 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-v7tp-1t4h-zqeg Aliases: CVE-2023-28708 GHSA-2c9m-w27f-53rm	When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel. Older, EOL versions may also be affected.	11.0.0-M3 Affected by 0 other vulnerabilities.
VCID-xgr8-tpv5-q3b2 Aliases: CVE-2023-28709 GHSA-cx6h-86xw-9x34	The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.	11.0.0-M5 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-2zq1-na8s-mfdd
Aliases:
CVE-2025-31650
GHSA-3p2h-wqq4-wf4h

Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.90 though 8.5.100. Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.

11.0.6
Affected by 1 other vulnerability.

VCID-v7tp-1t4h-zqeg
Aliases:
CVE-2023-28708
GHSA-2c9m-w27f-53rm

When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel. Older, EOL versions may also be affected.

11.0.0-M3
Affected by 0 other vulnerabilities.

VCID-xgr8-tpv5-q3b2
Aliases:
CVE-2023-28709
GHSA-cx6h-86xw-9x34

The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.

11.0.0-M5
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T12:38:04.612998+00:00	Apache Tomcat Importer	Affected by	VCID-v7tp-1t4h-zqeg	https://tomcat.apache.org/security-11.html	38.0.0
2026-04-01T12:38:04.581576+00:00	Apache Tomcat Importer	Affected by	VCID-xgr8-tpv5-q3b2	https://tomcat.apache.org/security-11.html	38.0.0
2026-04-01T12:38:03.999567+00:00	Apache Tomcat Importer	Affected by	VCID-2zq1-na8s-mfdd	https://tomcat.apache.org/security-11.html	38.0.0