Search for vulnerabilities
Vulnerability details: VCID-e1kv-qs89-9bgv
Vulnerability ID VCID-e1kv-qs89-9bgv
Aliases CVE-2025-52434
GHSA-4j3c-42xv-3f84
Summary Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections. This issue affects Apache Tomcat: from 9.0.0.M1 through 9.0.106. Users are recommended to upgrade to version 9.0.107, which fixes the issue.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (1)
System Score Found at
cvssv3 5.3 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-52434.json
epss 0.00018 https://api.first.org/data/v1/epss?cve=CVE-2025-52434
epss 0.0006 https://api.first.org/data/v1/epss?cve=CVE-2025-52434
epss 0.0006 https://api.first.org/data/v1/epss?cve=CVE-2025-52434
epss 0.0006 https://api.first.org/data/v1/epss?cve=CVE-2025-52434
epss 0.0006 https://api.first.org/data/v1/epss?cve=CVE-2025-52434
epss 0.00078 https://api.first.org/data/v1/epss?cve=CVE-2025-52434
epss 0.00078 https://api.first.org/data/v1/epss?cve=CVE-2025-52434
epss 0.00078 https://api.first.org/data/v1/epss?cve=CVE-2025-52434
epss 0.00078 https://api.first.org/data/v1/epss?cve=CVE-2025-52434
apache_tomcat Important https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-52434
cvssv3.1 5.9 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-4j3c-42xv-3f84
cvssv3.1 7.5 https://github.com/apache/tomcat
generic_textual MODERATE https://github.com/apache/tomcat
cvssv3.1 7.5 https://github.com/apache/tomcat/commit/8a83c3c42d20762782678932c14005cd3397a018
generic_textual MODERATE https://github.com/apache/tomcat/commit/8a83c3c42d20762782678932c14005cd3397a018
cvssv3.1 7.5 https://lists.apache.org/thread/gxgh65004f25y8519coth6w7vchww030
generic_textual MODERATE https://lists.apache.org/thread/gxgh65004f25y8519coth6w7vchww030
ssvc Track https://lists.apache.org/thread/gxgh65004f25y8519coth6w7vchww030
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2025-52434
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2025-52434
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-52434.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/apache/tomcat
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/apache/tomcat/commit/8a83c3c42d20762782678932c14005cd3397a018
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://lists.apache.org/thread/gxgh65004f25y8519coth6w7vchww030
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none


Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-07-11T14:02:46Z/ Found at https://lists.apache.org/thread/gxgh65004f25y8519coth6w7vchww030
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2025-52434
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)
Percentile 0.0272
EPSS Score 0.00018
Published At July 11, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-05T22:25:46.530595+00:00 Apache Tomcat Importer Import https://tomcat.apache.org/security-9.html 37.0.0