Cyber Resilience

CVE-2025-52434

High

Published: 10 July 2025

Published
10 July 2025
Modified
04 November 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0120 79.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-52434 is a high-severity Race Condition (CWE-362) vulnerability in Apache Tomcat. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 20.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2025-52434 is a race condition vulnerability arising from concurrent execution using shared resources with improper synchronization in Apache Tomcat when the APR/Native connector is in use. The flaw manifests particularly during client-initiated closes of HTTP/2 connections and affects Tomcat versions 9.0.0.M1 through 9.0.106 as well as earlier end-of-life releases including 8.5.0 through 8.5.100.

An unauthenticated remote attacker can trigger the race condition over the network to produce a denial-of-service condition that impacts availability while leaving confidentiality and integrity unaffected.

Advisories from the Apache project and downstream distributions such as Debian state that users should upgrade to Tomcat 9.0.107, which contains the fix for the issue.

The associated EPSS score remains low and unchanged at 0.0120 with no material increase after disclosure.

EU & UK References

Vulnerability details

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections. This issue affects Apache Tomcat: from 9.0.0.M1 through 9.0.106. The…

more

following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 9.0.107, which fixes the issue.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
tomcat
9.0.0 — 9.0.107

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-362

Accurate timestamps from internal clocks enable detection of race conditions by providing reliable event ordering in audit logs.

addresses: CWE-362

Coordination of concurrent security activities reduces the probability that shared resources will be accessed simultaneously without proper synchronization.

References