VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-ayrd-8ntf-hkh3

Essentials
Severities (22)
References (18)
Severity details (14)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-ayrd-8ntf-hkh3
Aliases	CVE-2022-25762 GHSA-h3ch-5pp2-vh6w
Summary	If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a pooled object to be placed in the pool twice. This could result in subsequent connections using the same object concurrently which could result in data being returned to the wrong use and/or other errors.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-404	Improper Resource Shutdown or Release
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-226	Sensitive Information in Resource Not Removed Before Reuse

System	Score	Found at
cvssv3	8.6	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-25762.json
epss	0.00646	https://api.first.org/data/v1/epss?cve=CVE-2022-25762
epss	0.00646	https://api.first.org/data/v1/epss?cve=CVE-2022-25762
epss	0.00646	https://api.first.org/data/v1/epss?cve=CVE-2022-25762
epss	0.00646	https://api.first.org/data/v1/epss?cve=CVE-2022-25762
epss	0.00646	https://api.first.org/data/v1/epss?cve=CVE-2022-25762
epss	0.00646	https://api.first.org/data/v1/epss?cve=CVE-2022-25762
epss	0.00646	https://api.first.org/data/v1/epss?cve=CVE-2022-25762
epss	0.00646	https://api.first.org/data/v1/epss?cve=CVE-2022-25762
apache_tomcat	Important	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25762
cvssv3.1	5.3	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-h3ch-5pp2-vh6w
cvssv3.1	8.6	https://github.com/apache/tomcat
generic_textual	HIGH	https://github.com/apache/tomcat
cvssv3.1	8.6	https://lists.apache.org/thread/6ckmjfb1k61dyzkto9vm2k5jvt4o7w7c
generic_textual	HIGH	https://lists.apache.org/thread/6ckmjfb1k61dyzkto9vm2k5jvt4o7w7c
cvssv3.1	8.6	https://nvd.nist.gov/vuln/detail/CVE-2022-25762
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2022-25762
cvssv3.1	8.6	https://security.netapp.com/advisory/ntap-20220629-0003
generic_textual	HIGH	https://security.netapp.com/advisory/ntap-20220629-0003
cvssv3.1	8.6	https://www.oracle.com/security-alerts/cpujul2022.html
generic_textual	HIGH	https://www.oracle.com/security-alerts/cpujul2022.html

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-25762.json
		https://api.first.org/data/v1/epss?cve=CVE-2022-25762
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/apache/tomcat
		https://github.com/apache/tomcat/commit/01f2cf25b270a84d0daeefc4f215aa2f56e1df99
		https://github.com/apache/tomcat/commit/339b40bc07bdba9ded565929b9a3448c5a78f015
		https://github.com/apache/tomcat/commit/65fb1ee548111021edde247f3b3c409ec95a5183
		https://github.com/apache/tomcat/commit/7046644bf361b89afc246b6643e24ce2ae60cacc
		https://github.com/apache/tomcat/commit/e2d5a040b962a904db5264b3cb3282c6b05f823c
		https://lists.apache.org/thread/6ckmjfb1k61dyzkto9vm2k5jvt4o7w7c
		https://security.netapp.com/advisory/ntap-20220629-0003
		https://security.netapp.com/advisory/ntap-20220629-0003/
		https://www.oracle.com/security-alerts/cpujul2022.html
2085304		https://bugzilla.redhat.com/show_bug.cgi?id=2085304
CVE-2022-25762		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25762
CVE-2022-25762		https://nvd.nist.gov/vuln/detail/CVE-2022-25762
GHSA-h3ch-5pp2-vh6w		https://github.com/advisories/GHSA-h3ch-5pp2-vh6w
RHSA-2020:4847		https://access.redhat.com/errata/RHSA-2020:4847

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-25762.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L Found at https://github.com/apache/tomcat

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L Found at https://lists.apache.org/thread/6ckmjfb1k61dyzkto9vm2k5jvt4o7w7c

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2022-25762

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L Found at https://security.netapp.com/advisory/ntap-20220629-0003

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L Found at https://www.oracle.com/security-alerts/cpujul2022.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.70648
EPSS Score	0.00646
Published At	April 2, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:38:08.678573+00:00	Apache Tomcat Importer	Import	https://tomcat.apache.org/security-9.html	38.0.0