Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:rpm/redhat/tomcat@1:9.0.87-1.el8_10?arch=6
purl pkg:rpm/redhat/tomcat@1:9.0.87-1.el8_10?arch=6
Next non-vulnerable version None.
Latest non-vulnerable version None.
Risk 4.0
Vulnerabilities affecting this package (7)
Vulnerability Summary Fixed by
VCID-1e6p-cppr-2bh2
Aliases:
CVE-2025-48989
GHSA-gqp3-2cvr-x8m3
Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected. Users are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue. There are no reported fixed by versions.
VCID-246u-a4rh-yyd4
Aliases:
CVE-2025-49125
GHSA-wc4r-xq3c-5cf3
Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat.  When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. There are no reported fixed by versions.
VCID-2x6a-3gh1-rkhs
Aliases:
CVE-2025-48976
GHSA-vv7r-c36w-3prj
Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue. There are no reported fixed by versions.
VCID-9kfe-1esf-uydm
Aliases:
CVE-2025-52434
GHSA-4j3c-42xv-3f84
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections. This issue affects Apache Tomcat: from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 9.0.107, which fixes the issue. There are no reported fixed by versions.
VCID-fpgj-82wf-ykbw
Aliases:
CVE-2025-53506
GHSA-25xr-qj8w-c4vf
Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue. There are no reported fixed by versions.
VCID-gb2v-96xj-ybad
Aliases:
CVE-2025-48988
GHSA-h3gc-qfqq-6h8f
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. There are no reported fixed by versions.
VCID-k59r-wjt3-wqe5
Aliases:
CVE-2025-52520
GHSA-wr62-c79q-cv37
For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size limits. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue. There are no reported fixed by versions.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-01T13:39:33.250606+00:00 RedHat Importer Affected by VCID-gb2v-96xj-ybad https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-48988.json 38.0.0
2026-04-01T13:39:32.894551+00:00 RedHat Importer Affected by VCID-246u-a4rh-yyd4 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-49125.json 38.0.0
2026-04-01T13:39:32.509399+00:00 RedHat Importer Affected by VCID-2x6a-3gh1-rkhs https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-48976.json 38.0.0
2026-04-01T13:38:37.802634+00:00 RedHat Importer Affected by VCID-9kfe-1esf-uydm https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-52434.json 38.0.0
2026-04-01T13:38:37.467657+00:00 RedHat Importer Affected by VCID-k59r-wjt3-wqe5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-52520.json 38.0.0
2026-04-01T13:38:37.117608+00:00 RedHat Importer Affected by VCID-fpgj-82wf-ykbw https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-53506.json 38.0.0
2026-04-01T13:37:55.347545+00:00 RedHat Importer Affected by VCID-1e6p-cppr-2bh2 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-48989.json 38.0.0