Search for vulnerabilities
Vulnerability details: VCID-dk83-wt6s-c3a7
Vulnerability ID VCID-dk83-wt6s-c3a7
Aliases CVE-2025-53506
GHSA-25xr-qj8w-c4vf
Summary Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-400 Uncontrolled Resource Consumption
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 5.3 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-53506.json
epss 0.00163 https://api.first.org/data/v1/epss?cve=CVE-2025-53506
epss 0.00163 https://api.first.org/data/v1/epss?cve=CVE-2025-53506
epss 0.00163 https://api.first.org/data/v1/epss?cve=CVE-2025-53506
epss 0.00163 https://api.first.org/data/v1/epss?cve=CVE-2025-53506
epss 0.0017 https://api.first.org/data/v1/epss?cve=CVE-2025-53506
epss 0.0017 https://api.first.org/data/v1/epss?cve=CVE-2025-53506
epss 0.0017 https://api.first.org/data/v1/epss?cve=CVE-2025-53506
epss 0.0017 https://api.first.org/data/v1/epss?cve=CVE-2025-53506
epss 0.0017 https://api.first.org/data/v1/epss?cve=CVE-2025-53506
epss 0.0017 https://api.first.org/data/v1/epss?cve=CVE-2025-53506
epss 0.00195 https://api.first.org/data/v1/epss?cve=CVE-2025-53506
epss 0.00195 https://api.first.org/data/v1/epss?cve=CVE-2025-53506
epss 0.00195 https://api.first.org/data/v1/epss?cve=CVE-2025-53506
epss 0.00195 https://api.first.org/data/v1/epss?cve=CVE-2025-53506
epss 0.00195 https://api.first.org/data/v1/epss?cve=CVE-2025-53506
epss 0.00195 https://api.first.org/data/v1/epss?cve=CVE-2025-53506
epss 0.00195 https://api.first.org/data/v1/epss?cve=CVE-2025-53506
epss 0.00195 https://api.first.org/data/v1/epss?cve=CVE-2025-53506
epss 0.00195 https://api.first.org/data/v1/epss?cve=CVE-2025-53506
epss 0.00195 https://api.first.org/data/v1/epss?cve=CVE-2025-53506
epss 0.00195 https://api.first.org/data/v1/epss?cve=CVE-2025-53506
epss 0.00195 https://api.first.org/data/v1/epss?cve=CVE-2025-53506
epss 0.00218 https://api.first.org/data/v1/epss?cve=CVE-2025-53506
epss 0.00218 https://api.first.org/data/v1/epss?cve=CVE-2025-53506
epss 0.00218 https://api.first.org/data/v1/epss?cve=CVE-2025-53506
epss 0.00218 https://api.first.org/data/v1/epss?cve=CVE-2025-53506
epss 0.00218 https://api.first.org/data/v1/epss?cve=CVE-2025-53506
epss 0.00218 https://api.first.org/data/v1/epss?cve=CVE-2025-53506
epss 0.00218 https://api.first.org/data/v1/epss?cve=CVE-2025-53506
apache_tomcat Important https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53506
cvssv3.1 5.3 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-25xr-qj8w-c4vf
cvssv3.1 7.5 https://github.com/apache/tomcat
generic_textual MODERATE https://github.com/apache/tomcat
cvssv3.1 7.5 https://github.com/apache/tomcat/commit/2aa6261276ebe50b99276953591e3a2be7898bdb
generic_textual MODERATE https://github.com/apache/tomcat/commit/2aa6261276ebe50b99276953591e3a2be7898bdb
cvssv3.1 7.5 https://github.com/apache/tomcat/commit/434772930f362145516dd60681134e7f0cf8115b
generic_textual MODERATE https://github.com/apache/tomcat/commit/434772930f362145516dd60681134e7f0cf8115b
cvssv3.1 7.5 https://github.com/apache/tomcat/commit/be8f330f83ceddaf3baeed57522e571572b6b99b
generic_textual MODERATE https://github.com/apache/tomcat/commit/be8f330f83ceddaf3baeed57522e571572b6b99b
cvssv3.1 7.5 https://lists.apache.org/thread/p09775q0rd185m6zz98krg0fp45j8kr0
generic_textual MODERATE https://lists.apache.org/thread/p09775q0rd185m6zz98krg0fp45j8kr0
ssvc Track https://lists.apache.org/thread/p09775q0rd185m6zz98krg0fp45j8kr0
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2025-53506
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2025-53506
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-53506.json
https://api.first.org/data/v1/epss?cve=CVE-2025-53506
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/apache/tomcat
https://github.com/apache/tomcat/commit/2aa6261276ebe50b99276953591e3a2be7898bdb
https://github.com/apache/tomcat/commit/434772930f362145516dd60681134e7f0cf8115b
https://github.com/apache/tomcat/commit/be8f330f83ceddaf3baeed57522e571572b6b99b
https://lists.apache.org/thread/p09775q0rd185m6zz98krg0fp45j8kr0
https://nvd.nist.gov/vuln/detail/CVE-2025-53506
1109113 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109113
2379386 https://bugzilla.redhat.com/show_bug.cgi?id=2379386
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
CVE-2025-53506 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53506
GHSA-25xr-qj8w-c4vf https://github.com/advisories/GHSA-25xr-qj8w-c4vf
RHSA-2025:11695 https://access.redhat.com/errata/RHSA-2025:11695
RHSA-2025:11696 https://access.redhat.com/errata/RHSA-2025:11696
RHSA-2025:11741 https://access.redhat.com/errata/RHSA-2025:11741
RHSA-2025:11742 https://access.redhat.com/errata/RHSA-2025:11742
RHSA-2025:14177 https://access.redhat.com/errata/RHSA-2025:14177
RHSA-2025:14178 https://access.redhat.com/errata/RHSA-2025:14178
RHSA-2025:14179 https://access.redhat.com/errata/RHSA-2025:14179
RHSA-2025:14180 https://access.redhat.com/errata/RHSA-2025:14180
RHSA-2025:14181 https://access.redhat.com/errata/RHSA-2025:14181
RHSA-2025:14182 https://access.redhat.com/errata/RHSA-2025:14182
RHSA-2025:14183 https://access.redhat.com/errata/RHSA-2025:14183
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-53506.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/apache/tomcat
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/apache/tomcat/commit/2aa6261276ebe50b99276953591e3a2be7898bdb
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/apache/tomcat/commit/434772930f362145516dd60681134e7f0cf8115b
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/apache/tomcat/commit/be8f330f83ceddaf3baeed57522e571572b6b99b
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://lists.apache.org/thread/p09775q0rd185m6zz98krg0fp45j8kr0
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-07-11T13:46:01Z/ Found at https://lists.apache.org/thread/p09775q0rd185m6zz98krg0fp45j8kr0
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2025-53506
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.37719
EPSS Score 0.00163
Published At Sept. 9, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:03:15.873947+00:00 Apache Tomcat Importer Import https://tomcat.apache.org/security-11.html 37.0.0