VulnerableCode Package Details - pkg:maven/org.apache.tomcat/tomcat@9.0.106

Search for packages

Vulnerability	Summary	Fixed by
VCID-8war-4v58-eub2 Aliases: CVE-2026-24734 GHSA-mgp5-rv84-w37q	Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat. When using an OCSP responder, Tomcat Native (and Tomcat's FFM port of the Tomcat Native code) did not complete verification or freshness checks on the OCSP response which could allow certificate revocation to be bypassed. This issue affects Apache Tomcat Native: from 1.3.0 through 1.3.4, from 2.0.0 through 2.0.11; Apache Tomcat: from 11.0.0-M1 through 11.0.17, from 10.1.0-M7 through 10.1.51, from 9.0.83 through 9.0.114. The following versions were EOL at the time the CVE was created but are known to be affected: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39. Older EOL versions are not affected. Apache Tomcat Native users are recommended to upgrade to versions 1.3.5 or later or 2.0.12 or later, which fix the issue. Apache Tomcat users are recommended to upgrade to versions 11.0.18 or later, 10.1.52 or later or 9.0.115 or later which fix the issue.	9.0.115 Affected by 6 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 10.1.52 Affected by 6 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 11.0.18 Affected by 6 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-9kfe-1esf-uydm Aliases: CVE-2025-52434 GHSA-4j3c-42xv-3f84	Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections. This issue affects Apache Tomcat: from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 9.0.107, which fixes the issue.	9.0.107 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-fpgj-82wf-ykbw Aliases: CVE-2025-53506 GHSA-25xr-qj8w-c4vf	Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.	9.0.107 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 10.1.43 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 11.0.9 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-k59r-wjt3-wqe5 Aliases: CVE-2025-52520 GHSA-wr62-c79q-cv37	For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size limits. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.	9.0.107 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 10.1.43 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 11.0.9 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-8war-4v58-eub2
Aliases:
CVE-2026-24734
GHSA-mgp5-rv84-w37q

Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat. When using an OCSP responder, Tomcat Native (and Tomcat's FFM port of the Tomcat Native code) did not complete verification or freshness checks on the OCSP response which could allow certificate revocation to be bypassed. This issue affects Apache Tomcat Native: from 1.3.0 through 1.3.4, from 2.0.0 through 2.0.11; Apache Tomcat: from 11.0.0-M1 through 11.0.17, from 10.1.0-M7 through 10.1.51, from 9.0.83 through 9.0.114. The following versions were EOL at the time the CVE was created but are known to be affected: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39. Older EOL versions are not affected. Apache Tomcat Native users are recommended to upgrade to versions 1.3.5 or later or 2.0.12 or later, which fix the issue. Apache Tomcat users are recommended to upgrade to versions 11.0.18 or later, 10.1.52 or later or 9.0.115 or later which fix the issue.

9.0.115
Affected by 6 other vulnerabilities.

10.1.52
Affected by 6 other vulnerabilities.

11.0.18
Affected by 6 other vulnerabilities.

VCID-9kfe-1esf-uydm
Aliases:
CVE-2025-52434
GHSA-4j3c-42xv-3f84

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections. This issue affects Apache Tomcat: from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 9.0.107, which fixes the issue.

9.0.107
Affected by 2 other vulnerabilities.

VCID-fpgj-82wf-ykbw
Aliases:
CVE-2025-53506
GHSA-25xr-qj8w-c4vf

Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.

9.0.107
Affected by 2 other vulnerabilities.

10.1.43
Affected by 2 other vulnerabilities.

11.0.9
Affected by 2 other vulnerabilities.

VCID-k59r-wjt3-wqe5
Aliases:
CVE-2025-52520
GHSA-wr62-c79q-cv37

For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size limits. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.

9.0.107
Affected by 2 other vulnerabilities.

10.1.43
Affected by 2 other vulnerabilities.

11.0.9
Affected by 2 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-246u-a4rh-yyd4	Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.	CVE-2025-49125 GHSA-wc4r-xq3c-5cf3
VCID-2kku-pzer-9ufv	Session Fixation vulnerability in Apache Tomcat via rewrite valve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.	CVE-2025-55668 GHSA-23hv-mwm6-g8jf
VCID-2x6a-3gh1-rkhs	Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.	CVE-2025-48976 GHSA-vv7r-c36w-3prj
VCID-bks8-nvm9-vbgy	Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100 and 7.0.95 through 7.0.109. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.	CVE-2025-49124 GHSA-42wg-hm62-jcwg
VCID-gb2v-96xj-ybad	Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.	CVE-2025-48988 GHSA-h3gc-qfqq-6h8f

Vulnerability

Summary

Aliases

VCID-246u-a4rh-yyd4

Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

CVE-2025-49125
GHSA-wc4r-xq3c-5cf3

VCID-2kku-pzer-9ufv

Session Fixation vulnerability in Apache Tomcat via rewrite valve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

CVE-2025-55668
GHSA-23hv-mwm6-g8jf

VCID-2x6a-3gh1-rkhs

Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.

CVE-2025-48976
GHSA-vv7r-c36w-3prj

VCID-bks8-nvm9-vbgy

Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100 and 7.0.95 through 7.0.109. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

CVE-2025-49124
GHSA-42wg-hm62-jcwg

VCID-gb2v-96xj-ybad

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

CVE-2025-48988
GHSA-h3gc-qfqq-6h8f

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-17T00:18:04.591139+00:00	GitLab Importer	Affected by	VCID-8war-4v58-eub2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2026-24734.yml	38.4.0
2026-04-16T23:31:10.050246+00:00	GitLab Importer	Fixing	VCID-bks8-nvm9-vbgy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2025-49124.yml	38.4.0
2026-04-12T01:42:21.156707+00:00	GitLab Importer	Affected by	VCID-8war-4v58-eub2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2026-24734.yml	38.3.0
2026-04-12T00:50:57.006353+00:00	GitLab Importer	Fixing	VCID-bks8-nvm9-vbgy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2025-49124.yml	38.3.0
2026-04-07T04:58:04.220795+00:00	GHSA Importer	Fixing	VCID-bks8-nvm9-vbgy	https://github.com/advisories/GHSA-42wg-hm62-jcwg	38.1.0
2026-04-03T01:51:14.093903+00:00	GitLab Importer	Affected by	VCID-8war-4v58-eub2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2026-24734.yml	38.1.0
2026-04-03T00:59:00.684076+00:00	GitLab Importer	Fixing	VCID-bks8-nvm9-vbgy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2025-49124.yml	38.1.0
2026-04-02T12:41:35.619298+00:00	GitLab Importer	Fixing	VCID-bks8-nvm9-vbgy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2025-49124.yml	38.0.0
2026-04-01T12:56:55.759265+00:00	GithubOSV Importer	Fixing	VCID-bks8-nvm9-vbgy	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-42wg-hm62-jcwg/GHSA-42wg-hm62-jcwg.json	38.0.0
2026-04-01T12:38:07.110424+00:00	Apache Tomcat Importer	Fixing	VCID-2x6a-3gh1-rkhs	https://tomcat.apache.org/security-9.html	38.0.0
2026-04-01T12:38:07.081019+00:00	Apache Tomcat Importer	Fixing	VCID-gb2v-96xj-ybad	https://tomcat.apache.org/security-9.html	38.0.0
2026-04-01T12:38:07.050506+00:00	Apache Tomcat Importer	Fixing	VCID-bks8-nvm9-vbgy	https://tomcat.apache.org/security-9.html	38.0.0
2026-04-01T12:38:07.021276+00:00	Apache Tomcat Importer	Fixing	VCID-246u-a4rh-yyd4	https://tomcat.apache.org/security-9.html	38.0.0
2026-04-01T12:38:06.992433+00:00	Apache Tomcat Importer	Fixing	VCID-2kku-pzer-9ufv	https://tomcat.apache.org/security-9.html	38.0.0
2026-04-01T12:38:06.958440+00:00	Apache Tomcat Importer	Affected by	VCID-fpgj-82wf-ykbw	https://tomcat.apache.org/security-9.html	38.0.0
2026-04-01T12:38:06.927469+00:00	Apache Tomcat Importer	Affected by	VCID-k59r-wjt3-wqe5	https://tomcat.apache.org/security-9.html	38.0.0
2026-04-01T12:38:06.897746+00:00	Apache Tomcat Importer	Affected by	VCID-9kfe-1esf-uydm	https://tomcat.apache.org/security-9.html	38.0.0