CVE-2025-52434

HIGH EPSS 76.0%

Published Jul 10, 202511mo ago · Modified Jun 17, 20261w ago

7.5 CVSS 3.1

High

Published Jul 10, 2025 11mo ago

Last Modified Jun 17, 2026 1w ago

Description

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections. This issue affects Apache Tomcat: from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 9.0.107, which fixes the issue.

CVSS Details

Base Score

7.5

Exploitability

3.9

Impact

3.6

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope Unchanged

Confidentiality None

Integrity None

Availability High

Threat Intelligence

EPSS Exploit Probability

76.0% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-362

Affected Products 1

Vendor	Product	Version	Range
apache	tomcat	*	≥9.0.0 – <9.0.107

References 3

openwall.com http://www.openwall.com/lists/oss-security/2025/07/10/11
lists.apache.org https://lists.apache.org/thread/gxgh65004f25y8519coth6w7vchww030

Issue TrackingMailing ListVendor Advisory
lists.debian.org https://lists.debian.org/debian-lts-announce/2025/07/msg00009.html

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.