Vulnerable Library - spring-boot-starter-web-3.3.5.jar
Path to dependency file: /pom.xml
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (spring-boot-starter-web version) |
Remediation Possible** |
| CVE-2025-31651 |
 Critical |
9.8 |
tomcat-embed-core-10.1.31.jar |
Transitive |
3.3.11 |
❌ |
| CVE-2025-24813 |
Critical |
9.8 |
tomcat-embed-core-10.1.31.jar |
Transitive |
3.3.9 |
❌ |
| CVE-2024-56337 |
Critical |
9.8 |
tomcat-embed-core-10.1.31.jar |
Transitive |
3.3.7 |
❌ |
| CVE-2024-50379 |
Critical |
9.8 |
tomcat-embed-core-10.1.31.jar |
Transitive |
3.3.7 |
❌ |
| CVE-2025-55754 |
Critical |
9.6 |
tomcat-embed-core-10.1.31.jar |
Transitive |
3.4.10 |
❌ |
| CVE-2026-29145 |
Critical |
9.1 |
tomcat-embed-core-10.1.31.jar |
Transitive |
3.5.13 |
❌ |
| CVE-2025-66614 |
 High |
7.6 |
tomcat-embed-core-10.1.31.jar |
Transitive |
3.4.13 |
❌ |
| WS-2026-0003 |
High |
7.5 |
jackson-core-2.18.0.jar |
Transitive |
3.5.0 |
✅ |
| CVE-2026-34487 |
High |
7.5 |
tomcat-embed-core-10.1.31.jar |
Transitive |
4.0.0 |
❌ |
| CVE-2026-34483 |
High |
7.5 |
tomcat-embed-core-10.1.31.jar |
Transitive |
4.0.0 |
❌ |
| CVE-2026-29146 |
High |
7.5 |
tomcat-embed-core-10.1.31.jar |
Transitive |
3.5.13 |
❌ |
| CVE-2026-24880 |
High |
7.5 |
tomcat-embed-core-10.1.31.jar |
Transitive |
3.5.13 |
❌ |
| CVE-2025-55752 |
High |
7.5 |
tomcat-embed-core-10.1.31.jar |
Transitive |
3.4.10 |
❌ |
| CVE-2025-53506 |
High |
7.5 |
tomcat-embed-core-10.1.31.jar |
Transitive |
N/A* |
❌ |
| CVE-2025-52520 |
High |
7.5 |
tomcat-embed-core-10.1.31.jar |
Transitive |
N/A* |
❌ |
| CVE-2025-48989 |
High |
7.5 |
tomcat-embed-core-10.1.31.jar |
Transitive |
3.4.9 |
❌ |
| CVE-2025-48988 |
High |
7.5 |
tomcat-embed-core-10.1.31.jar |
Transitive |
3.3.13 |
❌ |
| CVE-2025-48976 |
High |
7.5 |
tomcat-embed-core-10.1.31.jar |
Transitive |
3.3.13 |
❌ |
| CVE-2025-41249 |
High |
7.5 |
spring-core-6.1.14.jar |
Transitive |
N/A* |
❌ |
| CVE-2025-31650 |
High |
7.5 |
tomcat-embed-core-10.1.31.jar |
Transitive |
N/A* |
❌ |
| CVE-2026-24734 |
High |
7.4 |
tomcat-embed-core-10.1.31.jar |
Transitive |
3.5.11 |
❌ |
| CVE-2025-22235 |
High |
7.3 |
spring-boot-3.3.5.jar |
Transitive |
N/A* |
❌ |
| CVE-2024-12798 |
High |
7.3 |
detected in multiple dependencies |
Transitive |
3.3.8 |
✅ |
| CVE-2025-11226 |
 Medium |
6.9 |
logback-core-1.5.11.jar |
Transitive |
3.4.11 |
✅ |
| CVE-2026-34500 |
Medium |
6.5 |
tomcat-embed-core-10.1.31.jar |
Transitive |
4.0.0 |
❌ |
| CVE-2026-24733 |
Medium |
6.5 |
tomcat-embed-core-10.1.31.jar |
Transitive |
3.4.13 |
❌ |
| CVE-2026-22740 |
Medium |
6.5 |
spring-web-6.1.14.jar |
Transitive |
N/A* |
❌ |
| CVE-2025-55668 |
Medium |
6.5 |
tomcat-embed-core-10.1.31.jar |
Transitive |
3.3.13 |
❌ |
| CVE-2025-49125 |
Medium |
6.5 |
tomcat-embed-core-10.1.31.jar |
Transitive |
3.3.13 |
❌ |
| CVE-2025-46701 |
Medium |
6.5 |
tomcat-embed-core-10.1.31.jar |
Transitive |
N/A* |
❌ |
| CVE-2025-41234 |
Medium |
6.5 |
spring-web-6.1.14.jar |
Transitive |
3.3.13 |
✅ |
| CVE-2025-49124 |
Medium |
6.3 |
tomcat-embed-core-10.1.31.jar |
Transitive |
N/A* |
❌ |
| CVE-2026-25854 |
Medium |
6.1 |
tomcat-embed-core-10.1.31.jar |
Transitive |
3.5.13 |
❌ |
| CVE-2026-22737 |
Medium |
5.9 |
spring-webmvc-6.1.14.jar |
Transitive |
N/A* |
❌ |
| CVE-2025-41242 |
Medium |
5.9 |
detected in multiple dependencies |
Transitive |
N/A* |
❌ |
| CVE-2025-61795 |
Medium |
5.3 |
tomcat-embed-core-10.1.31.jar |
Transitive |
N/A* |
❌ |
| CVE-2026-1225 |
Medium |
5.0 |
logback-core-1.5.11.jar |
Transitive |
N/A* |
❌ |
| CVE-2024-12801 |
Medium |
4.6 |
logback-core-1.5.11.jar |
Transitive |
3.3.8 |
✅ |
| CVE-2026-22741 |
 Low |
3.1 |
spring-webmvc-6.1.14.jar |
Transitive |
N/A* |
❌ |
| CVE-2025-22233 |
Low |
3.1 |
spring-context-6.1.14.jar |
Transitive |
3.3.12 |
✅ |
| CVE-2026-22735 |
Low |
2.6 |
detected in multiple dependencies |
Transitive |
N/A* |
❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Partial details (22 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
CVE-2025-31651
Vulnerable Library - tomcat-embed-core-10.1.31.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Dependency Hierarchy:
- spring-boot-starter-web-3.3.5.jar (Root Library)
- spring-boot-starter-tomcat-3.3.5.jar
- ❌ tomcat-embed-core-10.1.31.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible
for a specially crafted request to bypass some rewrite rules. If those
rewrite rules effectively enforced security constraints, those
constraints could be bypassed.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions
may also be affected.
Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-04-28
URL: CVE-2025-31651
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.openwall.com/lists/oss-security/2025/04/28/3
Release Date: 2025-04-28
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.40
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.3.11
CVE-2025-24813
Vulnerable Library - tomcat-embed-core-10.1.31.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Dependency Hierarchy:
- spring-boot-starter-web-3.3.5.jar (Root Library)
- spring-boot-starter-tomcat-3.3.5.jar
- ❌ tomcat-embed-core-10.1.31.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.
If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files:
- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads
- attacker knowledge of the names of security sensitive files being uploaded
- the security sensitive files also being uploaded via partial PUT
If all of the following were true, a malicious user was able to perform remote code execution:
- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- application was using Tomcat's file based session persistence with the default storage location
- application included a library that may be leveraged in a deserialization attack
Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-03-10
URL: CVE-2025-24813
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2025-24813
Release Date: 2025-03-10
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.35
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.3.9
CVE-2024-56337
Vulnerable Library - tomcat-embed-core-10.1.31.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Dependency Hierarchy:
- spring-boot-starter-web-3.3.5.jar (Root Library)
- spring-boot-starter-tomcat-3.3.5.jar
- ❌ tomcat-embed-core-10.1.31.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions
may also be affected.
The mitigation for CVE-2024-50379 was incomplete.
Users running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation
parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat:
- running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true)
- running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false)
- running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed)
Tomcat 11.0.3, 10.1.35 and 9.0.99 onwards will include checks that sun.io.useCanonCaches is set appropriately before allowing the default servlet to be write enabled on a case insensitive file system. Tomcat will also set sun.io.useCanonCaches to false by default where it can.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2024-12-20
URL: CVE-2024-56337
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://tomcat.apache.org/security-11.html
Release Date: 2024-12-20
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.34
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.3.7
CVE-2024-50379
Vulnerable Library - tomcat-embed-core-10.1.31.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Dependency Hierarchy:
- spring-boot-starter-web-3.3.5.jar (Root Library)
- spring-boot-starter-tomcat-3.3.5.jar
- ❌ tomcat-embed-core-10.1.31.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration).
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97.
Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue. The fix for CVE-2024-50379 was found to be incomplete - users should refer to the follow-up CVE-2024-56337 which fully addresses the issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2024-12-17
URL: CVE-2024-50379
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://tomcat.apache.org/security-11.html
Release Date: 2024-12-17
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.34
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.3.7
CVE-2025-55754
Vulnerable Library - tomcat-embed-core-10.1.31.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Dependency Hierarchy:
- spring-boot-starter-web-3.3.5.jar (Root Library)
- spring-boot-starter-tomcat-3.3.5.jar
- ❌ tomcat-embed-core-10.1.31.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat.
Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, it was possible for an attacker to use a specially crafted URL to inject ANSI escape sequences to manipulate the console and the clipboard and attempt to trick an administrator into running an attacker controlled command. While no attack vector was found, it may have been possible to mount this attack on other operating systems.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.40 through 9.0.108.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.60 though 8.5.100. Other, older, EOL versions may also be affected.
Users are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue.
Publish Date: 2025-10-27
URL: CVE-2025-55754
CVSS 3 Score Details (9.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://lists.apache.org/thread/j7w54hqbkfcn0xb9xy0wnx8w5nymcbqd
Release Date: 2025-10-27
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.45
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.4.10
CVE-2026-29145
Vulnerable Library - tomcat-embed-core-10.1.31.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Dependency Hierarchy:
- spring-boot-starter-web-3.3.5.jar (Root Library)
- spring-boot-starter-tomcat-3.3.5.jar
- ❌ tomcat-embed-core-10.1.31.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13.
Users are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue.
Publish Date: 2026-04-09
URL: CVE-2026-29145
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-09
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.53
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.5.13
CVE-2025-66614
Vulnerable Library - tomcat-embed-core-10.1.31.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Dependency Hierarchy:
- spring-boot-starter-web-3.3.5.jar (Root Library)
- spring-boot-starter-tomcat-3.3.5.jar
- ❌ tomcat-embed-core-10.1.31.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Improper Input Validation vulnerability.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0-M1 through 9.0.112.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 through 8.5.100. Older EOL versions are not affected.
Tomcat did not validate that the host name provided via the SNI
extension was the same as the host name provided in the HTTP host header
field. If Tomcat was configured with more than one virtual host and the
TLS configuration for one of those hosts did not require client
certificate authentication but another one did, it was possible for a
client to bypass the client certificate authentication by sending
different host names in the SNI extension and the HTTP host header field.
The vulnerability only applies if client certificate authentication is
only enforced at the Connector. It does not apply if client certificate
authentication is enforced at the web application.
Users are recommended to upgrade to version 11.0.15 or later, 10.1.50 or later or 9.0.113 or later, which fix the issue.
Publish Date: 2026-02-17
URL: CVE-2025-66614
CVSS 3 Score Details (7.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://lists.apache.org/thread/vw6lxtlh2qbqwpb61wd3sv1flm2nttw7
Release Date: 2026-02-17
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.50
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.4.13
WS-2026-0003
Vulnerable Library - jackson-core-2.18.0.jar
Core Jackson processing abstractions (aka Streaming API), implementation for JSON
Library home page: https://github.com/FasterXML/jackson-core
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-core/2.18.0/65e8ead7de5d8f7a53e296c363bea3182f21f925/jackson-core-2.18.0.jar
Dependency Hierarchy:
- spring-boot-starter-web-3.3.5.jar (Root Library)
- spring-boot-starter-json-3.3.5.jar
- jackson-datatype-jdk8-2.18.0.jar
- ❌ jackson-core-2.18.0.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
The non-blocking (async) JSON parser in jackson-core bypasses the maxNumberLength constraint (default: 1000 characters) defined in StreamReadConstraints. This allows an attacker to send JSON with arbitrarily long numbers through the async parser API, leading to excessive memory allocation and potential CPU exhaustion, resulting in a Denial of Service (DoS).
The standard synchronous parser correctly enforces this limit, but the async parser fails to do so, creating an inconsistent enforcement policy.
Publish Date: 2026-03-02
URL: WS-2026-0003
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-72hv-8253-57qq
Release Date: 2026-03-02
Fix Resolution (com.fasterxml.jackson.core:jackson-core): 2.18.6
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.5.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2026-34487
Vulnerable Library - tomcat-embed-core-10.1.31.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Dependency Hierarchy:
- spring-boot-starter-web-3.3.5.jar (Root Library)
- spring-boot-starter-tomcat-3.3.5.jar
- ❌ tomcat-embed-core-10.1.31.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116.
Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.
Publish Date: 2026-04-09
URL: CVE-2026-34487
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-09
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.54
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 4.0.0
CVE-2026-34483
Vulnerable Library - tomcat-embed-core-10.1.31.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Dependency Hierarchy:
- spring-boot-starter-web-3.3.5.jar (Root Library)
- spring-boot-starter-tomcat-3.3.5.jar
- ❌ tomcat-embed-core-10.1.31.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116.
Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the issue.
Publish Date: 2026-04-09
URL: CVE-2026-34483
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-09
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.54
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 4.0.0
CVE-2026-29146
Vulnerable Library - tomcat-embed-core-10.1.31.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Dependency Hierarchy:
- spring-boot-starter-web-3.3.5.jar (Root Library)
- spring-boot-starter-tomcat-3.3.5.jar
- ❌ tomcat-embed-core-10.1.31.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.
Users are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.
Publish Date: 2026-04-09
URL: CVE-2026-29146
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-09
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.53
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.5.13
CVE-2026-24880
Vulnerable Library - tomcat-embed-core-10.1.31.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Dependency Hierarchy:
- spring-boot-starter-web-3.3.5.jar (Root Library)
- spring-boot-starter-tomcat-3.3.5.jar
- ❌ tomcat-embed-core-10.1.31.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk extension.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through 9.0.115, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.
Other, unsupported versions may also be affected.
Users are recommended to upgrade to version 11.0.20, 10.1.52 or 9.0.116, which fix the issue.
Publish Date: 2026-04-09
URL: CVE-2026-24880
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-09
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.53
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.5.13
CVE-2025-55752
Vulnerable Library - tomcat-embed-core-10.1.31.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Dependency Hierarchy:
- spring-boot-starter-web-3.3.5.jar (Root Library)
- spring-boot-starter-tomcat-3.3.5.jar
- ❌ tomcat-embed-core-10.1.31.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Relative Path Traversal vulnerability in Apache Tomcat.
The fix for bug 60013 introduced a regression where the rewritten URL was normalized before it was decoded. This introduced the possibility that, for rewrite rules that rewrite query parameters to the URL, an attacker could manipulate the request URI to bypass security constraints including the protection for /WEB-INF/ and /META-INF/. If PUT requests were also enabled then malicious files could be uploaded leading to remote code execution. PUT requests are normally limited to trusted users and it is considered unlikely that PUT requests would be enabled in conjunction with a rewrite that manipulated the URI.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.0.M11 through 9.0.108.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.6 though 8.5.100. Other, older, EOL versions may also be affected.
Users are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue.
Publish Date: 2025-10-27
URL: CVE-2025-55752
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2025-10-27
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.45
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.4.10
CVE-2025-53506
Vulnerable Library - tomcat-embed-core-10.1.31.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Dependency Hierarchy:
- spring-boot-starter-web-3.3.5.jar (Root Library)
- spring-boot-starter-tomcat-3.3.5.jar
- ❌ tomcat-embed-core-10.1.31.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 through 8.5.100. Other EOL versions may also be affected.
Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.
Publish Date: 2025-07-10
URL: CVE-2025-53506
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.107
Release Date: 2025-07-06
Fix Resolution: org.apache.tomcat:tomcat-coyote:9.0.107,https://github.com/apache/tomcat.git - 9.0.107,org.apache.tomcat.embed:tomcat-embed-core:9.0.107
CVE-2025-52520
Vulnerable Library - tomcat-embed-core-10.1.31.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Dependency Hierarchy:
- spring-boot-starter-web-3.3.5.jar (Root Library)
- spring-boot-starter-tomcat-3.3.5.jar
- ❌ tomcat-embed-core-10.1.31.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size limits.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions
may also be affected.
Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-07-10
URL: CVE-2025-52520
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.107
Release Date: 2025-07-06
Fix Resolution: org.apache.tomcat.embed:tomcat-embed-core:9.0.107,org.apache.tomcat:tomcat-catalina:9.0.107,https://github.com/apache/tomcat.git - 9.0.107
CVE-2025-48989
Vulnerable Library - tomcat-embed-core-10.1.31.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Dependency Hierarchy:
- spring-boot-starter-web-3.3.5.jar (Root Library)
- spring-boot-starter-tomcat-3.3.5.jar
- ❌ tomcat-embed-core-10.1.31.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected.
Users are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue.
Publish Date: 2025-08-13
URL: CVE-2025-48989
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://lists.apache.org/thread/9ydfg0xr0tchmglcprhxgwhj0hfwxlyf
Release Date: 2025-08-13
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.44
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.4.9
CVE-2025-48988
Vulnerable Library - tomcat-embed-core-10.1.31.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Dependency Hierarchy:
- spring-boot-starter-web-3.3.5.jar (Root Library)
- spring-boot-starter-tomcat-3.3.5.jar
- ❌ tomcat-embed-core-10.1.31.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105.
Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-06-16
URL: CVE-2025-48988
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2025-06-16
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.42
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.3.13
CVE-2025-48976
Vulnerable Library - tomcat-embed-core-10.1.31.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Dependency Hierarchy:
- spring-boot-starter-web-3.3.5.jar (Root Library)
- spring-boot-starter-tomcat-3.3.5.jar
- ❌ tomcat-embed-core-10.1.31.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Apache Commons FileUpload provided a hard-coded limit of 10kB for the size of the headers associated with a multipart request. A specially crafted request that used a large number of parts with large headers could trigger excessive memory usage leading to a DoS. This limit is now configurable (maxPartHeaderSize on the Connector) with a default of 512 bytes.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-06-16
URL: CVE-2025-48976
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2025-06-15
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.42
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.3.13
CVE-2025-41249
Vulnerable Library - spring-core-6.1.14.jar
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Dependency Hierarchy:
- spring-boot-starter-web-3.3.5.jar (Root Library)
- spring-web-6.1.14.jar
- ❌ spring-core-6.1.14.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-09-16
URL: CVE-2025-41249
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2025-41249
Release Date: 2025-09-14
Fix Resolution: https://github.com/spring-projects/spring-framework.git - v6.2.11,org.springframework:spring-core:6.2.11
CVE-2025-31650
Vulnerable Library - tomcat-embed-core-10.1.31.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Dependency Hierarchy:
- spring-boot-starter-web-3.3.5.jar (Root Library)
- spring-boot-starter-tomcat-3.3.5.jar
- ❌ tomcat-embed-core-10.1.31.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service.
This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5.
Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.
Publish Date: 2025-04-28
URL: CVE-2025-31650
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://lists.apache.org/thread/j6zzk0y3yym9pzfzkq5vcyxzz0yzh826
Release Date: 2025-04-28
Fix Resolution: org.apache.tomcat.embed:tomcat-embed-core:11.0.6,org.apache.tomcat.embed:tomcat-embed-core:9.0.104,https://github.com/apache/tomcat.git - 10.0.40,org.apache.tomcat:tomcat-coyote:9.0.104,https://github.com/apache/tomcat.git - 11.0.6,org.apache.tomcat:tomcat-coyote:11.0.6,https://github.com/apache/tomcat.git - 9.0.104,org.apache.tomcat.embed:tomcat-embed-core:10.0.40,org.apache.tomcat:tomcat-coyote:10.0.40
CVE-2026-24734
Vulnerable Library - tomcat-embed-core-10.1.31.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Dependency Hierarchy:
- spring-boot-starter-web-3.3.5.jar (Root Library)
- spring-boot-starter-tomcat-3.3.5.jar
- ❌ tomcat-embed-core-10.1.31.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat.
When using an OCSP responder, Tomcat Native (and Tomcat's FFM port of the Tomcat Native code) did not complete verification or freshness checks on the OCSP response which could allow certificate revocation to be bypassed.
This issue affects Apache Tomcat Native: from 1.3.0 through 1.3.4, from 2.0.0 through 2.0.11; Apache Tomcat: from 11.0.0-M1 through 11.0.17, from 10.1.0-M7 through 10.1.51, from 9.0.83 through 9.0.114.
The following versions were EOL at the time the CVE was created but are
known to be affected: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39. Older EOL versions are not affected.
Apache Tomcat Native users are recommended to upgrade to versions 1.3.5 or later or 2.0.12 or later, which fix the issue.
Apache Tomcat users are recommended to upgrade to versions 11.0.18 or later, 10.1.52 or later or 9.0.115 or later which fix the issue.
Publish Date: 2026-02-17
URL: CVE-2026-24734
CVSS 3 Score Details (7.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://lists.apache.org/thread/292dlmx3fz1888v6v16221kpozq56gml
Release Date: 2026-02-17
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.52
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.5.11
CVE-2025-22235
Vulnerable Library - spring-boot-3.3.5.jar
Spring Boot
Library home page: https://spring.io/projects/spring-boot
Dependency Hierarchy:
- spring-boot-starter-web-3.3.5.jar (Root Library)
- spring-boot-starter-3.3.5.jar
- ❌ spring-boot-3.3.5.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed.
Your application may be affected by this if all the following conditions are met:
- You use Spring Security
- EndpointRequest.to() has been used in a Spring Security chain configuration
- The endpoint which EndpointRequest references is disabled or not exposed via web
- Your application handles requests to /null and this path needs protection
You are not affected if any of the following is true:
- You don't use Spring Security
- You don't use EndpointRequest.to()
- The endpoint which EndpointRequest.to() refers to is enabled and is exposed
- Your application does not handle requests to /null or this path does not need protection
Publish Date: 2025-04-28
URL: CVE-2025-22235
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2025-04-24
Fix Resolution: https://github.com/spring-projects/spring-boot.git - v3.4.5,https://github.com/spring-projects/spring-boot.git - v3.3.11,org.springframework.boot:spring-boot-actuator-autoconfigure:3.4.5,org.springframework.boot:spring-boot-actuator-autoconfigure:3.3.11
⛑️Automatic Remediation will be attempted for this issue.
Path to dependency file: /pom.xml
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - tomcat-embed-core-10.1.31.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible
for a specially crafted request to bypass some rewrite rules. If those
rewrite rules effectively enforced security constraints, those
constraints could be bypassed.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions
may also be affected.
Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-04-28
URL: CVE-2025-31651
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.openwall.com/lists/oss-security/2025/04/28/3
Release Date: 2025-04-28
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.40
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.3.11
Vulnerable Library - tomcat-embed-core-10.1.31.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.
If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files:
- writes enabled for the default servlet (disabled by default)
- attacker knowledge of the names of security sensitive files being uploaded
- the security sensitive files also being uploaded via partial PUT
If all of the following were true, a malicious user was able to perform remote code execution:
- support for partial PUT (enabled by default)
- application was using Tomcat's file based session persistence with the default storage location
- application included a library that may be leveraged in a deserialization attack
Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-03-10
URL: CVE-2025-24813
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2025-24813
Release Date: 2025-03-10
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.35
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.3.9
Vulnerable Library - tomcat-embed-core-10.1.31.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions
may also be affected.
The mitigation for CVE-2024-50379 was incomplete.
Users running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation
parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat:
Tomcat 11.0.3, 10.1.35 and 9.0.99 onwards will include checks that sun.io.useCanonCaches is set appropriately before allowing the default servlet to be write enabled on a case insensitive file system. Tomcat will also set sun.io.useCanonCaches to false by default where it can.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2024-12-20
URL: CVE-2024-56337
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://tomcat.apache.org/security-11.html
Release Date: 2024-12-20
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.34
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.3.7
Vulnerable Library - tomcat-embed-core-10.1.31.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration).
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97.
Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue. The fix for CVE-2024-50379 was found to be incomplete - users should refer to the follow-up CVE-2024-56337 which fully addresses the issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2024-12-17
URL: CVE-2024-50379
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://tomcat.apache.org/security-11.html
Release Date: 2024-12-17
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.34
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.3.7
Vulnerable Library - tomcat-embed-core-10.1.31.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat.
Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, it was possible for an attacker to use a specially crafted URL to inject ANSI escape sequences to manipulate the console and the clipboard and attempt to trick an administrator into running an attacker controlled command. While no attack vector was found, it may have been possible to mount this attack on other operating systems.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.40 through 9.0.108.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.60 though 8.5.100. Other, older, EOL versions may also be affected.
Users are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue.
Publish Date: 2025-10-27
URL: CVE-2025-55754
CVSS 3 Score Details (9.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://lists.apache.org/thread/j7w54hqbkfcn0xb9xy0wnx8w5nymcbqd
Release Date: 2025-10-27
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.45
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.4.10
Vulnerable Library - tomcat-embed-core-10.1.31.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13.
Users are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue.
Publish Date: 2026-04-09
URL: CVE-2026-29145
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-04-09
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.53
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.5.13
Vulnerable Library - tomcat-embed-core-10.1.31.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Improper Input Validation vulnerability.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0-M1 through 9.0.112.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 through 8.5.100. Older EOL versions are not affected.
Tomcat did not validate that the host name provided via the SNI
extension was the same as the host name provided in the HTTP host header
field. If Tomcat was configured with more than one virtual host and the
TLS configuration for one of those hosts did not require client
certificate authentication but another one did, it was possible for a
client to bypass the client certificate authentication by sending
different host names in the SNI extension and the HTTP host header field.
The vulnerability only applies if client certificate authentication is
only enforced at the Connector. It does not apply if client certificate
authentication is enforced at the web application.
Users are recommended to upgrade to version 11.0.15 or later, 10.1.50 or later or 9.0.113 or later, which fix the issue.
Publish Date: 2026-02-17
URL: CVE-2025-66614
CVSS 3 Score Details (7.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://lists.apache.org/thread/vw6lxtlh2qbqwpb61wd3sv1flm2nttw7
Release Date: 2026-02-17
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.50
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.4.13
Vulnerable Library - jackson-core-2.18.0.jar
Core Jackson processing abstractions (aka Streaming API), implementation for JSON
Library home page: https://github.com/FasterXML/jackson-core
Path to dependency file: /build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-core/2.18.0/65e8ead7de5d8f7a53e296c363bea3182f21f925/jackson-core-2.18.0.jar
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
The non-blocking (async) JSON parser in jackson-core bypasses the maxNumberLength constraint (default: 1000 characters) defined in StreamReadConstraints. This allows an attacker to send JSON with arbitrarily long numbers through the async parser API, leading to excessive memory allocation and potential CPU exhaustion, resulting in a Denial of Service (DoS).
The standard synchronous parser correctly enforces this limit, but the async parser fails to do so, creating an inconsistent enforcement policy.
Publish Date: 2026-03-02
URL: WS-2026-0003
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-72hv-8253-57qq
Release Date: 2026-03-02
Fix Resolution (com.fasterxml.jackson.core:jackson-core): 2.18.6
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.5.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - tomcat-embed-core-10.1.31.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116.
Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.
Publish Date: 2026-04-09
URL: CVE-2026-34487
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-04-09
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.54
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 4.0.0
Vulnerable Library - tomcat-embed-core-10.1.31.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116.
Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the issue.
Publish Date: 2026-04-09
URL: CVE-2026-34483
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-04-09
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.54
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 4.0.0
Vulnerable Library - tomcat-embed-core-10.1.31.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.
Users are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.
Publish Date: 2026-04-09
URL: CVE-2026-29146
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-04-09
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.53
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.5.13
Vulnerable Library - tomcat-embed-core-10.1.31.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk extension.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through 9.0.115, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.
Other, unsupported versions may also be affected.
Users are recommended to upgrade to version 11.0.20, 10.1.52 or 9.0.116, which fix the issue.
Publish Date: 2026-04-09
URL: CVE-2026-24880
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-04-09
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.53
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.5.13
Vulnerable Library - tomcat-embed-core-10.1.31.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Relative Path Traversal vulnerability in Apache Tomcat.
The fix for bug 60013 introduced a regression where the rewritten URL was normalized before it was decoded. This introduced the possibility that, for rewrite rules that rewrite query parameters to the URL, an attacker could manipulate the request URI to bypass security constraints including the protection for /WEB-INF/ and /META-INF/. If PUT requests were also enabled then malicious files could be uploaded leading to remote code execution. PUT requests are normally limited to trusted users and it is considered unlikely that PUT requests would be enabled in conjunction with a rewrite that manipulated the URI.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.0.M11 through 9.0.108.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.6 though 8.5.100. Other, older, EOL versions may also be affected.
Users are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue.
Publish Date: 2025-10-27
URL: CVE-2025-55752
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2025-10-27
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.45
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.4.10
Vulnerable Library - tomcat-embed-core-10.1.31.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 through 8.5.100. Other EOL versions may also be affected.
Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.
Publish Date: 2025-07-10
URL: CVE-2025-53506
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.107
Release Date: 2025-07-06
Fix Resolution: org.apache.tomcat:tomcat-coyote:9.0.107,https://github.com/apache/tomcat.git - 9.0.107,org.apache.tomcat.embed:tomcat-embed-core:9.0.107
Vulnerable Library - tomcat-embed-core-10.1.31.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size limits.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions
may also be affected.
Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-07-10
URL: CVE-2025-52520
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.107
Release Date: 2025-07-06
Fix Resolution: org.apache.tomcat.embed:tomcat-embed-core:9.0.107,org.apache.tomcat:tomcat-catalina:9.0.107,https://github.com/apache/tomcat.git - 9.0.107
Vulnerable Library - tomcat-embed-core-10.1.31.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected.
Users are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue.
Publish Date: 2025-08-13
URL: CVE-2025-48989
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://lists.apache.org/thread/9ydfg0xr0tchmglcprhxgwhj0hfwxlyf
Release Date: 2025-08-13
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.44
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.4.9
Vulnerable Library - tomcat-embed-core-10.1.31.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105.
Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-06-16
URL: CVE-2025-48988
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2025-06-16
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.42
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.3.13
Vulnerable Library - tomcat-embed-core-10.1.31.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Apache Commons FileUpload provided a hard-coded limit of 10kB for the size of the headers associated with a multipart request. A specially crafted request that used a large number of parts with large headers could trigger excessive memory usage leading to a DoS. This limit is now configurable (maxPartHeaderSize on the Connector) with a default of 512 bytes.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-06-16
URL: CVE-2025-48976
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2025-06-15
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.42
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.3.13
Vulnerable Library - spring-core-6.1.14.jar
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. This can be an issue if such annotations are used for authorization decisions.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-09-16
URL: CVE-2025-41249
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://spring.io/security/cve-2025-41249
Release Date: 2025-09-14
Fix Resolution: https://github.com/spring-projects/spring-framework.git - v6.2.11,org.springframework:spring-core:6.2.11
Vulnerable Library - tomcat-embed-core-10.1.31.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service.
This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5.
Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.
Publish Date: 2025-04-28
URL: CVE-2025-31650
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://lists.apache.org/thread/j6zzk0y3yym9pzfzkq5vcyxzz0yzh826
Release Date: 2025-04-28
Fix Resolution: org.apache.tomcat.embed:tomcat-embed-core:11.0.6,org.apache.tomcat.embed:tomcat-embed-core:9.0.104,https://github.com/apache/tomcat.git - 10.0.40,org.apache.tomcat:tomcat-coyote:9.0.104,https://github.com/apache/tomcat.git - 11.0.6,org.apache.tomcat:tomcat-coyote:11.0.6,https://github.com/apache/tomcat.git - 9.0.104,org.apache.tomcat.embed:tomcat-embed-core:10.0.40,org.apache.tomcat:tomcat-coyote:10.0.40
Vulnerable Library - tomcat-embed-core-10.1.31.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat.
When using an OCSP responder, Tomcat Native (and Tomcat's FFM port of the Tomcat Native code) did not complete verification or freshness checks on the OCSP response which could allow certificate revocation to be bypassed.
This issue affects Apache Tomcat Native: from 1.3.0 through 1.3.4, from 2.0.0 through 2.0.11; Apache Tomcat: from 11.0.0-M1 through 11.0.17, from 10.1.0-M7 through 10.1.51, from 9.0.83 through 9.0.114.
The following versions were EOL at the time the CVE was created but are
known to be affected: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39. Older EOL versions are not affected.
Apache Tomcat Native users are recommended to upgrade to versions 1.3.5 or later or 2.0.12 or later, which fix the issue.
Apache Tomcat users are recommended to upgrade to versions 11.0.18 or later, 10.1.52 or later or 9.0.115 or later which fix the issue.
Publish Date: 2026-02-17
URL: CVE-2026-24734
CVSS 3 Score Details (7.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://lists.apache.org/thread/292dlmx3fz1888v6v16221kpozq56gml
Release Date: 2026-02-17
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 10.1.52
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.5.11
Vulnerable Library - spring-boot-3.3.5.jar
Spring Boot
Library home page: https://spring.io/projects/spring-boot
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been created, is disabled or not exposed.
Your application may be affected by this if all the following conditions are met:
You are not affected if any of the following is true:
Publish Date: 2025-04-28
URL: CVE-2025-22235
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2025-04-24
Fix Resolution: https://github.com/spring-projects/spring-boot.git - v3.4.5,https://github.com/spring-projects/spring-boot.git - v3.3.11,org.springframework.boot:spring-boot-actuator-autoconfigure:3.4.5,org.springframework.boot:spring-boot-actuator-autoconfigure:3.3.11
⛑️Automatic Remediation will be attempted for this issue.