ELA-1615-1 tomcat9 security update

multiple vulnerabilites

2026-01-17
Packagetomcat9
Version9.0.107-0+deb10u1 (buster)
Related CVEs CVE-2024-34750 CVE-2024-54677 CVE-2025-31650 CVE-2025-31651 CVE-2025-46701 CVE-2025-48976 CVE-2025-48988 CVE-2025-49125 CVE-2025-52434 CVE-2025-52520 CVE-2025-53506 CVE-2025-55668


Several security vulnerabilities have been found in Tomcat 9, a Java web server and servlet engine. Most notably the update improves the handling of HTTP/2 connections and corrects various flaws which can lead to uncontrolled resource consumption and a Denial of Service (DoS)

A risk analysis was carried out, and it was determined that the best available solution was to backport the bullseye version of Tomcat to buster. This decision means that upon installing this update users of Tomcat in buster will be moving from a Tomcat version of 9.0.31 to 9.0.107.

Unfortunately, some minor incompatibilities may arise, as documented at the end of this advisory.

CVE-2024-34750

Tomcat was affected by an improper handling of exceptional conditions vulnerability. Tomcat mishandled excessive HTTP/2 headers, causing stream miscounts and infinite timeouts that allowed connections to remain open and trigger a denial of service.

CVE-2024-54677

Tomcat was affected by an uncontrolled resource consumption vulnerability. Crafted requests to the bundled examples app could exhaust resources and lead to denial of service.

CVE-2025-31650

Tomcat was affected by an improper input validation vulnerability. Invalid HTTP priority headers were not cleaned up correctly, causing memory leaks that could accumulate and result in an OutOfMemoryException and denial of service.

CVE-2025-31651

Tomcat was affected by an improper neutralization vulnerabiltiy. Certain rewrite rule configurations allowed specially crafted requests to bypass rewrite rules, potentially bypassing associated security constraints.

CVE-2025-46701

Tomcat was affected by an improper handling of case sensitivity vulnerability. The CGI servlet failed to correctly enforce case‑sensitive pathInfo checks, enabling attackers to bypass security constraints by altering URL casing.

CVE-2025-48976

Tomcat was affected by an allocation of resources without limits vulnerabilty. Multipart headers could be crafted in large numbers to consume excessive memory, enabling Denial of Service (DoS).

CVE-2025-48988

Tomcat was affected by an allocation of resources without limits vulnerabilty. Tomcat allowed multipart uploads with many large headers, enabling attackers to exhaust memory and cause Denial of Service (DoS)

CVE-2025-49125

Tomcat was affected by an authentication bypass vulnerability. PreResources or PostResources mounted outside the root could be accessed through unexpected paths not protected by the intended security constraints, enabling bypass of authentication rules.

CVE-2025-52434

Tomcat was affected by a race condition. Improper synchronization during client‑initiated HTTP/2 connection closes could trigger crashes in the APR/Native connector, leading to Denial of Service (DoS).

CVE-2025-52520

Tomcat was affected by an integer overflow. Certain multipart upload configurations could trigger an integer overflow, allowing attackers to bypass size limits and cause Denial of Service (DoS)

CVE-2025-53506

Tomcat was affected by an uncontrolled resource consumption vulnerability. If an HTTP/2 client failed to acknowledge the initial settings frame, Tomcat could allow excessive concurrent streams, resulting in Denial of Service (DoS)

To remediate vulnerabilities in the Tomcat 9 server stack, an upgrade was performed instead of applying minimal patching. The following notworthy changes where identified:



For Debian 10 buster, these problems have been fixed in version 9.0.107-0+deb10u1.

We recommend that you upgrade your tomcat9 packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.