Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.

vendor_unpatched cve-2025-53506: Unpatched CVEs for Debian Linux, Ubuntu Linux (cve-2025-53506)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2025-1093 advisory.

    Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge     the initial settings frame that reduces the maximum permitted concurrent streams.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from     9.0.0.M1 through 9.0.106.

    Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.
    (CVE-2025-53506)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2025-1094 advisory.

    Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability     in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client     initiated closes of HTTP/2 connections.

    This issue affects Apache Tomcat: from 9.0.0.M1 through 9.0.106.

    Users are recommended to upgrade to version 9.0.107, which fixes the issue. (CVE-2025-52434)

    For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat     could lead to a DoS via bypassing of size limits.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from     9.0.0.M1 through 9.0.106.

    Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.
    (CVE-2025-52520)

    Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge     the initial settings frame that reduces the maximum permitted concurrent streams.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from     9.0.0.M1 through 9.0.106.

    Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.
    (CVE-2025-53506)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of tomcat installed on the remote host is prior to 9.0.107-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2TOMCAT9-2025-021 advisory.

    Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability     in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client     initiated closes of HTTP/2 connections.

    This issue affects Apache Tomcat: from 9.0.0.M1 through 9.0.106.

    Users are recommended to upgrade to version 9.0.107, which fixes the issue. (CVE-2025-52434)

    For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat     could lead to a DoS via bypassing of size limits.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from     9.0.0.M1 through 9.0.106.

    Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.
    (CVE-2025-52520)

    Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge     the initial settings frame that reduces the maximum permitted concurrent streams.

    This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from     9.0.0.M1 through 9.0.106.

    Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.
    (CVE-2025-53506)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

An update of the apache package has been released.

The remote Redhat Enterprise Linux 10 / 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2025:11741 advisory.

    Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web     applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster),     the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.

    This release of Red Hat JBoss Web Server 6.1.1 serves as a replacement for Red Hat JBoss Web Server 6.1.0.
    This release includes bug fixes, enhancements and component upgrades, which are documented in the Release     Notes that are linked to in the References section.

    Security Fix(es):

    * tomcat: Apache Tomcat DoS in multipart upload [jws-6] (CVE-2025-48988)
    * tomcat-catalina: Apache Tomcat: Security constraint bypass for pre/post-resources [jws-6]     (CVE-2025-49125)
    * tomcat: Apache Commons FileUpload DoS via part headers [jws-6] (CVE-2025-48976)
    * jws6-tomcat: Apache Tomcat denial of service [jws-6] (CVE-2025-53506)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 / 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2025:11695 advisory.

    Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web     applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster),     the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.

    This release of Red Hat JBoss Web Server 5.8.5 serves as a replacement for Red Hat JBoss Web Server 5.8.4.
    This release includes bug fixes, enhancements and component upgrades, which are documented in the Release     Notes that are linked to in the References section.

    Security Fix(es):

    * tomcat: Apache Tomcat DoS in multipart upload [jws-5] (CVE-2025-48988)
    * tomcat-catalina: Apache Tomcat: Security constraint bypass for pre/post-resources [jws-5]     (CVE-2025-49125)
    * tomcat: Apache Commons FileUpload DoS via part headers [jws-5] (CVE-2025-48976)
    * jws5-tomcat: Apache Tomcat denial of service [jws-5] (CVE-2025-52520)
    * jws5-tomcat: Apache Tomcat denial of service [jws-5] (CVE-2025-52434)
    * jws5-tomcat: Apache Tomcat denial of service [jws-5] (CVE-2025-53506)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4244 advisory.

    -------------------------------------------------------------------------     Debian LTS Advisory DLA-4244-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                      Markus Koschany     July 22, 2025                                 https://wiki.debian.org/LTS
    -------------------------------------------------------------------------

    Package        : tomcat9     Version        : 9.0.107-0+deb11u1     CVE ID         : CVE-2024-34750 CVE-2024-54677 CVE-2025-31650 CVE-2025-31651                      CVE-2025-46701 CVE-2025-48976 CVE-2025-48988 CVE-2025-49125                      CVE-2025-52434 CVE-2025-52520 CVE-2025-53506

    Several security vulnerabilities have been found in Tomcat 9, a Java web server     and servlet engine. Most notably the update improves the handling of HTTP/2     connections and corrects various flaws which can lead to uncontrolled resource     consumption and a denial of service.

    For Debian 11 bullseye, these problems have been fixed in version     9.0.107-0+deb11u1.

    We recommend that you upgrade your tomcat9 packages.

    For the detailed security status of tomcat9 please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/tomcat9

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS     Attachment:
    signature.asc     Description: This is a digitally signed message part

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Apache Tomcat installed on the remote host is 9.0.0-M1 prior to 9.0.107, 10.1.0-M1 prior to 10.1.43 or 11.0.0-M1 prior to 11.0.9. It is, therefore, affected by multiple vulnerabilities :

 - A race condition on connection close could trigger a JVM crash when using the APR/Native connector leading to a DoS. This was particularly noticeable with client initiated closes of HTTP/2 connections. (CVE-2025-52434)

 - For some unlikely configurations of multipart upload, an Integer Overflow vulnerability could lead to a DoS via bypassing of size limits. (CVE-2025-52520)

 - An uncontrolled resource consumption vulnerability if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams could result in a DoS. (CVE-2025-53506)

Note that the scanner has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the ef87346f-5dd0-11f0-beb2-ac5afc632ba3 advisory.

    security@apache.org reports:
    A race condition on connection close could trigger a JVM crash when using the               APR/Native connector leading to a DoS.  This was particularly noticeable with client               initiated closes of HTTP/2 connections.
    An uncontrolled resource consumption vulnerability if an HTTP/2 client did not               acknowledge the initial settings frame that reduces the maximum permitted               concurrent streams could result in a DoS.
    For some unlikely configurations of multipart upload, an Integer Overflow               vulnerability could lead to a DoS via bypassing of size limits.

Tenable has extracted the preceding description block directly from the FreeBSD security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 11.0.9. It is, therefore, affected by multiple vulnerabilities as referenced in the fixed_in_apache_tomcat_11.0.9_security-11 advisory.

  - The vulnerability exists due to overflow in file upload limit. A remote attacker can send specially     crafted requests to the server and perform a denial of service (DoS) attack. (CVE-2025-52520)

  - The vulnerability exists due to application does not properly control consumption of internal resources     when handling excessive HTTP/2 streams. A remote attacker can trigger resource exhaustion and perform a     denial of service (DoS) attack. (CVE-2025-53506)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 10.1.43. It is, therefore, affected by multiple vulnerabilities as referenced in the fixed_in_apache_tomcat_10.1.43_security-10 advisory.

  - The vulnerability exists due to overflow in file upload limit. A remote attacker can send specially     crafted requests to the server and perform a denial of service (DoS) attack. (CVE-2025-52520)

  - The vulnerability exists due to application does not properly control consumption of internal resources     when handling excessive HTTP/2 streams. A remote attacker can trigger resource exhaustion and perform a     denial of service (DoS) attack. (CVE-2025-53506)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 9.0.107. It is, therefore, affected by multiple vulnerabilities as referenced in the fixed_in_apache_tomcat_9.0.107_security-9 advisory.

  - The vulnerability exists due to overflow in file upload limit. A remote attacker can send specially     crafted requests to the server and perform a denial of service (DoS) attack. (CVE-2025-52520)

  - The vulnerability exists due to insufficient validation of user-supplied input when handling HTTP/2     requests with APR/Native. A remote attacker can send specially crafted HTTP requests to the server and     perform a denial of service (DoS) attack. (CVE-2025-52434)

  - The vulnerability exists due to application does not properly control consumption of internal resources     when handling excessive HTTP/2 streams. A remote attacker can trigger resource exhaustion and perform a     denial of service (DoS) attack. (CVE-2025-53506)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
243501	Amazon Linux 2023 : tomcat10, tomcat10-admin-webapps, tomcat10-el-5.0-api (ALAS2023-2025-1093)	Nessus	Amazon Linux Local Security Checks	high
243472	Amazon Linux 2023 : tomcat9, tomcat9-admin-webapps, tomcat9-el-3.0-api (ALAS2023-2025-1094)	Nessus	Amazon Linux Local Security Checks	high
243439	Amazon Linux 2 : tomcat (ALASTOMCAT9-2025-021)	Nessus	Amazon Linux Local Security Checks	high
243277	Photon OS 5.0: Apache PHSA-2025-5.0-0565	Nessus	PhotonOS Local Security Checks	high
243185	RHEL 10 / 8 / 9 : Red Hat JBoss Web Server 6.1.1 (RHSA-2025:11741)	Nessus	Red Hat Local Security Checks	high
242932	RHEL 7 / 8 / 9 : Red Hat JBoss Web Server 5.8.5 (RHSA-2025:11695)	Nessus	Red Hat Local Security Checks	high
242491	Debian dla-4244 : libtomcat9-embed-java - security update	Nessus	Debian Local Security Checks	high
114916	Apache Tomcat 9.0.0-M1 < 9.0.107 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	high
114915	Apache Tomcat 10.1.0-M1 < 10.1.43 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	high
114914	Apache Tomcat 11.0.0-M1 < 11.0.9 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	high
242005	FreeBSD : Apache Tomcat -- Multiple Vulnerabilities (ef87346f-5dd0-11f0-beb2-ac5afc632ba3)	Nessus	FreeBSD Local Security Checks	high
241706	Apache Tomcat 11.0.0.M1 < 11.0.9 multiple vulnerabilities	Nessus	Web Servers	high
241705	Apache Tomcat 10.1.0.M1 < 10.1.43 multiple vulnerabilities	Nessus	Web Servers	high
241680	Apache Tomcat 9.0.0.M1 < 9.0.107 multiple vulnerabilities	Nessus	Web Servers	high

Detections

Analytics

CVE-2025-53506

high

Tenable Plugins

Coming Soon

high

high

high

high

high

high

high

high

high

high

high

high

high

high