org.apache.tomcat:tomcat-coyote

Maven25 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting org.apache.tomcat:tomcat-coyotepage 1 of 1

CVE-2014-0075NONECVSS 0.0EG 0.0✓ Fixed in 8.0.4
2014-05-31
vulnerable: 8.0.1, 8.0.3
Integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 allows remote attackers to cause a denial of service…
CVE-2014-0095NONECVSS 0.0EG 0.0✓ Fixed in 8.0.4
2014-05-31
vulnerable: 8.0.0-RC1 ... 8.0.3 (6 versions)
java/org/apache/coyote/ajp/AbstractAjpProcessor.java in Apache Tomcat 8.x before 8.0.4 allows remote attackers to cause a denial of service (thread consumption) by using a "Content-Length: 0" AJP request to trigger a hang in request proces…
CVE-2016-6816HIGHCVSS 7.1EG 7.1✓ Fixed in 6.0.48
2017-03-20
The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy…
CVE-2017-5651CRITICALCVSS 9.8EG 9.8✓ Fixed in 8.5.13
2017-04-17
vulnerable: 8.5.0 ... 8.5.9 (10 versions)
In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file processing. If the send file processing completed quickly, it was possible for the Processor to be …
CVE-2019-0199HIGHCVSS 7.5EG 7.5✓ Fixed in 8.5.38
2019-04-10
vulnerable: 8.0.1 ... 8.5.9 (70 versions)
The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By …
CVE-2020-13934HIGHCVSS 7.5EG 7.5✓ Fixed in 8.5.56
2020-07-14
vulnerable: 8.5.11 ... 8.5.9 (43 versions)
An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryE…
CVE-2020-13943MEDIUMCVSS 4.3EG 4.3✓ Fixed in 8.5.58
2020-10-12
vulnerable: 8.5.0 ... 8.5.9 (46 versions)
If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible …
CVE-2020-17527HIGHCVSS 7.5EG 7.5✓ Fixed in 8.5.60
2020-12-03
vulnerable: 8.5.0 ... 8.5.9 (48 versions)
While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the r…
CVE-2022-42252HIGHCVSS 7.5EG 7.5✓ Fixed in 10.1.1
2022-11-01
vulnerable: 10.1.0 ... 10.1.0-M8 (15 versions)
If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a …
CVE-2023-24998HIGHCVSS 7.5EG 7.5✓ Fixed in 9.0.71
2023-02-20
vulnerable: 9.0.0.M1 ... 9.0.8 (74 versions)
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file …
CVE-2023-28709HIGHCVSS 7.5EG 7.5✓ Fixed in 8.5.88
2023-05-22
vulnerable: 8.5.85, 8.5.86, 8.5.87
The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be r…
CVE-2023-34981HIGHCVSS 7.5EG 7.5✓ Fixed in 8.5.89
2023-06-21
vulnerable: 8.5.88
A regression in the fix for bug 66512 in Apache Tomcat 11.0.0-M5, 10.1.8, 9.0.74 and 8.5.88 meant that, if a response did not include any HTTP headers no AJP SEND_HEADERS messare woudl be sent for the response which in turn meant that at l…
CVE-2023-42794MEDIUMCVSS 5.9EG 5.9✓ Fixed in 8.5.94
2023-10-10
vulnerable: 8.5.85 ... 8.5.93 (9 versions)
Incomplete Cleanup vulnerability in Apache Tomcat. The internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased, in progress refactoring that exposed a potenti…
CVE-2023-42795MEDIUMCVSS 5.3EG 5.3✓ Fixed in 10.1.14
2023-10-10
vulnerable: 10.1.0 ... 10.1.9 (27 versions)
Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an er…
CVE-2023-44487HIGHCVSS 7.5EG 9.0⚠ KEV✓ Fixed in 8.5.94
2023-10-10
vulnerable: 8.5.0 ... 8.5.93 (78 versions)
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CVE-2024-21733MEDIUMCVSS 5.3EG 5.3✓ Fixed in 9.0.44
2024-01-19
vulnerable: 9.0.0.M1 ... 9.0.8 (53 versions)
Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43. Other, EOL versions may also be affected. Users are r…
CVE-2024-24549HIGHCVSS 7.5EG 7.5✓ Fixed in 8.5.99
2024-03-13
vulnerable: 8.5.0 ... 8.5.98 (83 versions)
Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was no…
CVE-2024-34750HIGHCVSS 7.5EG 7.5
2024-07-03
vulnerable: 8.5.0 ... 8.5.99 (85 versions)
Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscountin…
CVE-2024-52317MEDIUMCVSS 6.5EG 6.5✓ Fixed in 11.0.0
2024-11-18
vulnerable: 11.0.0-M24, 11.0.0-M25, 11.0.0-M26
Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users. This issue affects Apache Tomcat:…
CVE-2025-31650HIGHCVSS 7.5EG 7.5✓ Fixed in 9.0.104
2025-04-28
vulnerable: 9.0.100 ... 9.0.99 (24 versions)
Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests co…
CVE-2025-48989HIGHCVSS 7.5EG 7.5✓ Fixed in 9.0.108
2025-08-13
vulnerable: 9.0.0.M1 ... 9.0.99 (107 versions)
Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 th…
CVE-2026-24734HIGHCVSS 7.5EG 7.5✓ Fixed in 11.0.18
2026-02-17
vulnerable: 11.0.0 ... 11.0.9 (39 versions)
Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat. When using an OCSP responder, Tomcat Native (and Tomcat's FFM port of the Tomcat Native code) did not complete verification or freshness checks on the OCSP re…
CVE-2026-24880HIGHCVSS 7.5EG 7.5✓ Fixed in 11.0.20
2026-04-09
vulnerable: 11.0.0 ... 11.0.9 (40 versions)
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk extension. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52,…
CVE-2026-29129HIGHCVSS 7.5EG 7.5✓ Fixed in 11.0.20
2026-04-09
vulnerable: 11.0.18
Configured cipher preference order not preserved vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.0.115. Users are recommended to upgrade…
CVE-2026-32990MEDIUMCVSS 5.3EG 5.3✓ Fixed in 11.0.20
2026-04-09
vulnerable: 11.0.15, 11.0.18
Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614. This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115. Users are re…

Check whether org.apache.tomcat:tomcat-coyote is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for org.apache.tomcat:tomcat-coyote CVEs against the assets you own.

Start Free Scan →