{
  "threat_severity" : "Moderate",
  "public_date" : "2025-07-10T19:03:47Z",
  "bugzilla" : {
    "description" : "tomcat: Apache Tomcat denial of service",
    "id" : "2379382",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2379382"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-362",
  "details" : [ "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections.\nThis issue affects Apache Tomcat: from 9.0.0.M1 through 9.0.106.\nThe following versions were EOL at the time the CVE was created but are \nknown to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions \nmay also be affected.\nUsers are recommended to upgrade to version 9.0.107, which fixes the issue.", "A denial of service flaw was found in Apache Tomcat. A race condition during connection closure could trigger a JVM crash when using the APR/Native connector, leading to a denial of service. This issue was particularly noticeable with client-initiated closures of HTTP/2 connections." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2025-08-20T00:00:00Z",
    "advisory" : "RHSA-2025:14178",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.0",
    "package" : "tomcat9-1:9.0.87-5.el10_0.3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-08-20T00:00:00Z",
    "advisory" : "RHSA-2025:14177",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "tomcat-1:9.0.87-1.el8_10.6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service",
    "release_date" : "2025-08-20T00:00:00Z",
    "advisory" : "RHSA-2025:14182",
    "cpe" : "cpe:/a:redhat:rhel_tus:8.8",
    "package" : "tomcat-1:9.0.87-1.el8_8.7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions",
    "release_date" : "2025-08-20T00:00:00Z",
    "advisory" : "RHSA-2025:14182",
    "cpe" : "cpe:/a:redhat:rhel_e4s:8.8",
    "package" : "tomcat-1:9.0.87-1.el8_8.7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-08-20T00:00:00Z",
    "advisory" : "RHSA-2025:14181",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "tomcat-1:9.0.87-3.el9_6.3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2025-08-20T00:00:00Z",
    "advisory" : "RHSA-2025:14183",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2",
    "package" : "tomcat-1:9.0.87-1.el9_2.6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2025-08-20T00:00:00Z",
    "advisory" : "RHSA-2025:14180",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.4",
    "package" : "tomcat-1:9.0.87-1.el9_4.6"
  }, {
    "product_name" : "Red Hat JBoss Web Server 5.8.5",
    "release_date" : "2025-07-28T00:00:00Z",
    "advisory" : "RHSA-2025:11696",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.8",
    "package" : "jws5-tomcat"
  }, {
    "product_name" : "Red Hat JBoss Web Server 5.8 on RHEL 7",
    "release_date" : "2025-07-28T00:00:00Z",
    "advisory" : "RHSA-2025:11695",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.8::el7",
    "package" : "jws5-tomcat-0:9.0.87-12.redhat_00011.1.el7jws"
  }, {
    "product_name" : "Red Hat JBoss Web Server 5.8 on RHEL 8",
    "release_date" : "2025-07-28T00:00:00Z",
    "advisory" : "RHSA-2025:11695",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.8::el8",
    "package" : "jws5-tomcat-0:9.0.87-12.redhat_00011.1.el8jws"
  }, {
    "product_name" : "Red Hat JBoss Web Server 5.8 on RHEL 9",
    "release_date" : "2025-07-28T00:00:00Z",
    "advisory" : "RHSA-2025:11695",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.8::el9",
    "package" : "jws5-tomcat-0:9.0.87-12.redhat_00011.1.el9jws"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "tomcat",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Fix deferred",
    "package_name" : "tomcat6",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "tomcat",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "pki-deps:10.6/pki-servlet-engine",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "pki-servlet-engine",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-52434\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-52434\nhttps://lists.apache.org/thread/gxgh65004f25y8519coth6w7vchww030" ],
  "name" : "CVE-2025-52434",
  "csaw" : false
}