CVE-2025-52434

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-52434
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections. This issue affects Apache Tomcat: from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 9.0.107, which fixes the issue.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://lists.apache.org/thread/gxgh65004f25y8519coth6w7vchww030 Issue Tracking Mailing List Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
History

08 Aug 2025, 12:15

Type Values Removed Values Added
Summary (en) Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections. This issue affects Apache Tomcat: from 9.0.0.M1 through 9.0.106. Older, EOL versions may also be affected. Users are recommended to upgrade to version 9.0.107, which fixes the issue. (en) Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections. This issue affects Apache Tomcat: from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 9.0.107, which fixes the issue.

07 Aug 2025, 12:15

Type Values Removed Values Added
References () https://lists.apache.org/thread/gxgh65004f25y8519coth6w7vchww030 - Mailing List, Vendor Advisory, Issue Tracking () https://lists.apache.org/thread/gxgh65004f25y8519coth6w7vchww030 - Issue Tracking, Mailing List, Vendor Advisory
Summary (en) Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections. This issue affects Apache Tomcat: from 9.0.0.M1 through 9.0.106. Users are recommended to upgrade to version 9.0.107, which fixes the issue. (en) Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections. This issue affects Apache Tomcat: from 9.0.0.M1 through 9.0.106. Older, EOL versions may also be affected. Users are recommended to upgrade to version 9.0.107, which fixes the issue.

29 Jul 2025, 18:36

Type Values Removed Values Added
First Time Apache
Apache tomcat
CPE cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
References () https://lists.apache.org/thread/gxgh65004f25y8519coth6w7vchww030 - () https://lists.apache.org/thread/gxgh65004f25y8519coth6w7vchww030 - Mailing List, Vendor Advisory, Issue Tracking

11 Jul 2025, 14:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.5
Summary
  • (es) Vulnerabilidad de ejecución concurrente mediante recursos compartidos con sincronización incorrecta («Condición de ejecución») en Apache Tomcat al usar el conector APR/Nativo. Esto era especialmente evidente con el cierre de conexiones HTTP/2 iniciado por el cliente. Este problema afecta a Apache Tomcat desde la versión 9.0.0.M1 hasta la 9.0.106. Se recomienda actualizar a la versión 9.0.107, que soluciona el problema.

10 Jul 2025, 19:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-07-10 19:15

Updated : 2025-08-08 12:15

NVD link : CVE-2025-52434

Mitre link : CVE-2025-52434

CVE.ORG link : CVE-2025-52434

JSON object : View

Products Affected

apache

  • tomcat
CWE
CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')