A newly disclosed flaw in Apache Tomcat’s Coyote engine—tracked as CVE-2025-53506—has surfaced in the latest round of HTTP/2 security advisories.
First noted in the National Vulnerability Database five days ago, the weakness stems from Coyote’s failure to enforce a hard cap on concurrent streams when an HTTP/2 client never acknowledges the server’s initial SETTINGS frame.
By repeatedly initiating streams that are never closed, a remote attacker can exhaust the server’s thread pool and force the container into a prolonged denial-of-service state, even though confidentiality and integrity remain unaffected.
Because the exploit rides ordinary TCP port 443 traffic, firewalls see nothing suspicious; attack complexity remains low, and no credentials are required.
GitHub analysts subsequently traced the issue to a race condition introduced during the refactor that added dynamic stream limits, publishing proof-of-concept traffic captures that reliably crash unpatched builds.
The vulnerability affects every maintained branch: 11.0.0-M1 through 11.0.8, 10.1.0-M1 through 10.1.42, and 9.0.0.M1 through 9.0.106.
Apache has released fixed versions 11.0.9, 10.1.43, and 9.0.107; administrators that cannot upgrade immediately should at least disable HTTP/2 or limit maxConcurrentStreams at the reverse-proxy layer to avoid service interruptions.
CVSS v4 scores the flaw 6.3, tagging availability as High while leaving other impact metrics at None, underscoring its DoS-centric profile.
Exploiting the Stream-Flood Mechanism
In practice, the attacker holds a single TLS session open and loops the following payload:-
PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n ; connection pre-face …SETTINGS (ACK omitted) ; server settings ignored HEADERS END_STREAM=0 … ; open stream 1 HEADERS END_STREAM=0 … ; open stream 2 /* repeat until thread pool saturation */Because Tomcat allocates a worker per stream before receiving any actual data, each orphaned stream ties up a thread indefinitely.
Once the executor queue maxes out, legitimate requests time out, effectively knocking the site offline without crashing the JVM.
Modern reverse proxies that enforce a SETTINGS-ack timeout or hard stream ceiling neutralize the attack, making upstream mitigation practical until full patch deployment.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now
The post Apache Tomcat Coyote Vulnerability Let Attackers Trigger DoS Attack appeared first on Cyber Security News.
15 July 2025>> Read More