Race Condition Vulnerability in Apache Tomcat APR/Native Connector
CVE-2025-52434

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Tomcat
Vendor: CVE Published:; 10 July 2025

What is CVE-2025-52434?

The Apache Tomcat APR/Native connector experiences a race condition vulnerability that arises from improper synchronization when executing concurrent processes. This vulnerability is particularly evident during client-initiated closure of HTTP/2 connections, potentially allowing unintended access and resource conflicts. Users are strongly advised to update to version 9.0.107 or later, which resolves this issue effectively.

Affected Version(s)

Apache Tomcat 9.0.0.M1 <= 9.0.106

References

https://lists.apache.org/thread/gxgh65004f25y8519coth6w7v...

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 10, 2025
Vulnerability Reserved
Jun 16, 2025

Credit

Nacl

12SqweR

WHOAMI

yyzmoon