A newly disclosed flaw in Apache Tomcat’s Coyote engine—tracked as CVE-2025-53506—has surfaced within the newest spherical of HTTP/2 safety advisories.
First famous within the Nationwide Vulnerability Database 5 days in the past, the weak point stems from Coyote’s failure to implement a tough cap on concurrent streams when an HTTP/2 consumer by no means acknowledges the server’s preliminary SETTINGS body.
By repeatedly initiating streams which might be by no means closed, a distant attacker can exhaust the server’s thread pool and drive the container into a protracted denial-of-service state, despite the fact that confidentiality and integrity stay unaffected.
As a result of the exploit rides odd TCP port 443 site visitors, firewalls see nothing suspicious; assault complexity stays low, and no credentials are required.
GitHub analysts subsequently traced the problem to a race situation launched throughout the refactor that added dynamic stream limits, publishing proof-of-concept site visitors captures that reliably crash unpatched builds.
The vulnerability impacts each maintained department: 11.0.0-M1 by way of 11.0.8, 10.1.0-M1 by way of 10.1.42, and 9.0.0.M1 by way of 9.0.106.
Apache has launched mounted variations 11.0.9, 10.1.43, and 9.0.107; directors that can’t improve instantly ought to a minimum of disable HTTP/2 or restrict maxConcurrentStreams on the reverse-proxy layer to keep away from service interruptions.
CVSS v4 scores the flaw 6.3, tagging availability as Excessive whereas leaving different affect metrics at None, underscoring its DoS-centric profile.
Exploiting the Stream-Flood Mechanism
In follow, the attacker holds a single TLS session open and loops the next payload:-
PRI * HTTP/2.0rnrnSMrnrn ; connection pre-face
…SETTINGS (ACK omitted) ; server settings ignored
HEADERS END_STREAM=0 … ; open stream 1
HEADERS END_STREAM=0 … ; open stream 2
/* repeat till thread pool saturation */
As a result of Tomcat allocates a employee per stream earlier than receiving any precise knowledge, every orphaned stream ties up a thread indefinitely.
As soon as the executor queue maxes out, respectable requests outing, successfully knocking the positioning offline with out crashing the JVM.
Trendy reverse proxies that implement a SETTINGS-ack timeout or exhausting stream ceiling neutralize the assault, making upstream mitigation sensible till full patch deployment.
Examine stay malware conduct, hint each step of an assault, and make sooner, smarter safety selections -> Attempt ANY.RUN now
