Tomcat Flaw Lets Hackers Crash Sites With HTTP/2 Flood

A newly disclosed vulnerability in Apache Tomcat’s Coyote engine, tracked as CVE-2025-53506, exposes servers to denial-of-service attacks via HTTP/2 traffic. The Tomcat flaw lets hackers exploit a loophole where the server fails to cap concurrent streams when a client ignores the SETTINGS frame. Attackers can then flood the server with persistent streams, overwhelming its thread pool and disrupting service availability.

Security analysts linked the issue to a race condition introduced during a dynamic stream limit refactor. The exploit requires no credentials and leverages standard port 443 traffic, evading basic network defenses. The Tomcat flaw lets hackers sustain a single TLS session while looping stream requests, tying up threads and stalling legitimate traffic.

All active Tomcat branches are vulnerable, including 11.0.0-M1 through 11.0.8. Apache has issued patched versions 11.0.9, 10.1.43, and 9.0.107. Until updates are applied, administrators should disable HTTP/2 or enforce strict stream limits on reverse proxies.

Apache Tomcat Coyote Vulnerability Let Attackers Trigger DoS Attack