VulnerableCode Package Details - pkg:apache/tomcat@9.0.106

Search for packages

Vulnerability	Summary	Fixed by
VCID-7498-2z96-w3aa Aliases: CVE-2025-52520 GHSA-wr62-c79q-cv37	For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size limits. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.	9.0.107 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 10.1.43 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 11.0.9 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-dk83-wt6s-c3a7 Aliases: CVE-2025-53506 GHSA-25xr-qj8w-c4vf	Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.	9.0.107 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 10.1.43 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 11.0.9 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-tc17-t52j-nyh4 Aliases: CVE-2025-52434 GHSA-4j3c-42xv-3f84	Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections. This issue affects Apache Tomcat: from 9.0.0.M1 through 9.0.106. Users are recommended to upgrade to version 9.0.107, which fixes the issue.	9.0.107 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-7498-2z96-w3aa
Aliases:
CVE-2025-52520
GHSA-wr62-c79q-cv37

For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size limits. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.

9.0.107
Affected by 1 other vulnerability.

10.1.43
Affected by 1 other vulnerability.

11.0.9
Affected by 1 other vulnerability.

VCID-dk83-wt6s-c3a7
Aliases:
CVE-2025-53506
GHSA-25xr-qj8w-c4vf

Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.

9.0.107
Affected by 1 other vulnerability.

10.1.43
Affected by 1 other vulnerability.

11.0.9
Affected by 1 other vulnerability.

VCID-tc17-t52j-nyh4
Aliases:
CVE-2025-52434
GHSA-4j3c-42xv-3f84

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections. This issue affects Apache Tomcat: from 9.0.0.M1 through 9.0.106. Users are recommended to upgrade to version 9.0.107, which fixes the issue.

9.0.107
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
VCID-8sa7-2dgp-t7gv	Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.	CVE-2025-48976 GHSA-vv7r-c36w-3prj
VCID-endz-gtj6-vuet	Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.	CVE-2025-49124
VCID-jknh-z7bv-4kcf	Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.	CVE-2025-48988 GHSA-h3gc-qfqq-6h8f
VCID-uj2y-34xt-hqf3	Session Fixation vulnerability in Apache Tomcat via rewrite valve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.	CVE-2025-55668 GHSA-23hv-mwm6-g8jf
VCID-usp8-axuv-v3fb	Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.	CVE-2025-49125 GHSA-wc4r-xq3c-5cf3

Vulnerability

Summary

Aliases

VCID-8sa7-2dgp-t7gv

Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.

CVE-2025-48976
GHSA-vv7r-c36w-3prj

VCID-endz-gtj6-vuet

Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

CVE-2025-49124

VCID-jknh-z7bv-4kcf

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

CVE-2025-48988
GHSA-h3gc-qfqq-6h8f

VCID-uj2y-34xt-hqf3

Session Fixation vulnerability in Apache Tomcat via rewrite valve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

CVE-2025-55668
GHSA-23hv-mwm6-g8jf

VCID-usp8-axuv-v3fb

Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

CVE-2025-49125
GHSA-wc4r-xq3c-5cf3

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-08-14T08:24:36.566219+00:00	Apache Tomcat Importer	Fixing	VCID-uj2y-34xt-hqf3	https://tomcat.apache.org/security-9.html	37.0.0
2025-07-31T08:03:18.476888+00:00	Apache Tomcat Importer	Fixing	VCID-8sa7-2dgp-t7gv	https://tomcat.apache.org/security-9.html	37.0.0
2025-07-31T08:03:18.448686+00:00	Apache Tomcat Importer	Fixing	VCID-jknh-z7bv-4kcf	https://tomcat.apache.org/security-9.html	37.0.0
2025-07-31T08:03:18.422002+00:00	Apache Tomcat Importer	Fixing	VCID-endz-gtj6-vuet	https://tomcat.apache.org/security-9.html	37.0.0
2025-07-31T08:03:18.394409+00:00	Apache Tomcat Importer	Fixing	VCID-usp8-axuv-v3fb	https://tomcat.apache.org/security-9.html	37.0.0
2025-07-31T08:03:18.362508+00:00	Apache Tomcat Importer	Affected by	VCID-dk83-wt6s-c3a7	https://tomcat.apache.org/security-9.html	37.0.0
2025-07-31T08:03:18.332022+00:00	Apache Tomcat Importer	Affected by	VCID-7498-2z96-w3aa	https://tomcat.apache.org/security-9.html	37.0.0
2025-07-31T08:03:18.302715+00:00	Apache Tomcat Importer	Affected by	VCID-tc17-t52j-nyh4	https://tomcat.apache.org/security-9.html	37.0.0