VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-9mg7-cusq-kbbt

Essentials
Severities (23)
References (13)
Severity details (17)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-9mg7-cusq-kbbt
Aliases	CVE-2025-53506 GHSA-25xr-qj8w-c4vf
Summary	Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (1)

CWE-400

Uncontrolled Resource Consumption

System	Score	Found at
cvssv3	5.3	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-53506.json
epss	0.00018	https://api.first.org/data/v1/epss?cve=CVE-2025-53506
epss	0.0004	https://api.first.org/data/v1/epss?cve=CVE-2025-53506
epss	0.0004	https://api.first.org/data/v1/epss?cve=CVE-2025-53506
epss	0.0004	https://api.first.org/data/v1/epss?cve=CVE-2025-53506
epss	0.0004	https://api.first.org/data/v1/epss?cve=CVE-2025-53506
epss	0.00052	https://api.first.org/data/v1/epss?cve=CVE-2025-53506
apache_tomcat	Important	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53506
cvssv3.1	5.3	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-25xr-qj8w-c4vf
cvssv3.1	7.5	https://github.com/apache/tomcat
generic_textual	MODERATE	https://github.com/apache/tomcat
cvssv3.1	7.5	https://github.com/apache/tomcat/commit/2aa6261276ebe50b99276953591e3a2be7898bdb
generic_textual	MODERATE	https://github.com/apache/tomcat/commit/2aa6261276ebe50b99276953591e3a2be7898bdb
cvssv3.1	7.5	https://github.com/apache/tomcat/commit/434772930f362145516dd60681134e7f0cf8115b
generic_textual	MODERATE	https://github.com/apache/tomcat/commit/434772930f362145516dd60681134e7f0cf8115b
cvssv3.1	7.5	https://github.com/apache/tomcat/commit/be8f330f83ceddaf3baeed57522e571572b6b99b
generic_textual	MODERATE	https://github.com/apache/tomcat/commit/be8f330f83ceddaf3baeed57522e571572b6b99b
cvssv3.1	7.5	https://lists.apache.org/thread/p09775q0rd185m6zz98krg0fp45j8kr0
generic_textual	MODERATE	https://lists.apache.org/thread/p09775q0rd185m6zz98krg0fp45j8kr0
ssvc	Track	https://lists.apache.org/thread/p09775q0rd185m6zz98krg0fp45j8kr0
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2025-53506
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2025-53506

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-53506.json
		https://api.first.org/data/v1/epss?cve=CVE-2025-53506
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/apache/tomcat
		https://github.com/apache/tomcat/commit/2aa6261276ebe50b99276953591e3a2be7898bdb
		https://github.com/apache/tomcat/commit/434772930f362145516dd60681134e7f0cf8115b
		https://github.com/apache/tomcat/commit/be8f330f83ceddaf3baeed57522e571572b6b99b
		https://lists.apache.org/thread/p09775q0rd185m6zz98krg0fp45j8kr0
1109113		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109113
2379386		https://bugzilla.redhat.com/show_bug.cgi?id=2379386
CVE-2025-53506		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53506
CVE-2025-53506		https://nvd.nist.gov/vuln/detail/CVE-2025-53506
GHSA-25xr-qj8w-c4vf		https://github.com/advisories/GHSA-25xr-qj8w-c4vf

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-53506.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/apache/tomcat

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/apache/tomcat/commit/2aa6261276ebe50b99276953591e3a2be7898bdb

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/apache/tomcat/commit/434772930f362145516dd60681134e7f0cf8115b

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/apache/tomcat/commit/be8f330f83ceddaf3baeed57522e571572b6b99b

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://lists.apache.org/thread/p09775q0rd185m6zz98krg0fp45j8kr0

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-07-11T13:46:01Z/ Found at https://lists.apache.org/thread/p09775q0rd185m6zz98krg0fp45j8kr0

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2025-53506

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.03054
EPSS Score	0.00018
Published At	July 11, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-05T22:25:46.617416+00:00	Apache Tomcat Importer	Import	https://tomcat.apache.org/security-9.html	37.0.0