Blog
December 23, 2025
Regularly patching Apache Tomcat is a necessary step to keep your Tomcat deployments compliant, secure, stable, and performant. Tomcat patches can protect you from CVEs and allow you to keep up with the current codebase while maintaining your configuration until it’s time to upgrade to a new major version.
In this blog, our expert explains when to patch Tomcat and when to consider an upgrade, the vulnerabilities that have affected recent versions of Tomcat, and how to test Tomcat patches you have installed.
Tomcat Patching: Why It's Important
First, a clarification: when we say “patch” in Tomcat, we are referring to a minor point upgrade of Tomcat. For example, if you are running Tomcat 10.1, and then a new version, 10.1.x, comes out, to upgrade from 10.1 to 10.1.x would be considered a patch. On the other hand, if you went from Tomcat 10.1 to 11, that would be considered upgrading versions to a new major version.
When patching, you’re typically able to keep your previous Tomcat configuration while still getting patches and security updates. If you perform an upgrade to a new major version, you may need to change your configuration due to schema changes in the XML configuration files across versions. In other words, patching allows you to address important issues and keep up with the current codebase for the version of Tomcat you’re using.
Back to topHow Often Should You Patch Tomcat?
Regular patching is a good practice because it keeps your Tomcat deployments up to date and prevents a large gap in between maintenance windows of the Tomcat server. It should be done whenever possible, but especially in instances when a CVE is being addressed by the patch.
Patching is the best way to keep your Tomcat deployments secure in between upgrades. Because major Tomcat versions typically last for around 10 years, you will likely have far more instances of patching than upgrading. A Tomcat upgrade is only necessary when a branch of Tomcat is being sunsetted by the community, meaning it will no longer be supported. When that happens, it is time to upgrade or get long-term support so you don't miss out on security and feature updates or become vulnerable to CVEs. It is worth mentioning that migrating from Tomcat 9 to 10.1 or 11 will require changes to your codebase. Plan accordingly because this will take time.
Looking For More Tomcat Tips?
The Enterprise Guide to Apache Tomcat includes best practices for Tomcat performance, configuration, security, resilience, and more.
How to Test Tomcat Patches
Create a suite of repeatable test scripts where you can test performance and functionality in a non-production environment before and after applying a patch or upgrade. You can use a tool like open source Apache JMeter or Perforce BlazeMeter to create a suite of tests. This will give you confidence in the patch and make your deployment simpler.
Back to topThe Risks of Not Patching Tomcat
There are a number of existing CVEs on all three of the supported major versions of Tomcat (Tomcat 9, Tomcat 10, and Tomcat 11). These range from cross-site scripting attacks, denial of service attacks, and bugs found in the Coyote, Catalina, and Jasper components in Tomcat and more. Let’s examine what happened with the Relative Path Traversal vulnerability in Apache Tomcat that was discovered in October of 2025.
This CVE ended up affecting the Tomcat 9, 10.1 and 11 codebases. The vulnerability caused the rewritten URL to be normalized before it was decoded. This made it possible to rewrite query parameters to the URL, enabling attackers to modify the request URL to circumvent security constraints, including the protection for /WEB-INF/ and /META-INF/. It also allowed PUT requests to upload files which could fill up the disk and allow for remote code execution (RCE).
Users were recommended to upgrade to version 11.0.11+, 10.1.45+, or 9.0.109+ which fixes the issue. Installations which remained on Apache Tomcat 8.5 were not provided a backport because 8.5 was already end-of-life (EOL), with the last release (8.5.100) in March of 2024. This is why it is imperative to be current with the latest major release if you don't have Tomcat LTS. Some users were forced into upgrading to the next major release which broke their applications. Applying a minor point release to an existing installation is much easier.
Back to topFinal Thoughts
It’s important to keep an eye out for Tomcat security updates, new version releases, end-of-life announcements, and more. Staying in touch with the community and being on their mailing list is a great way to keep yourself informed, plus it gives you an avenue to pose questions to the contributors and developers.
You can get a list of CVEs that are fixed for Apache Tomcat from the following links:
The CVE website provides an entire list of CVEs for Apache Tomcat, including ones that have not been fixed. You can also subscribe to the tomcat-users mailing list to receive CVE announcements. In addition, you can get information about which versions of Tomcat are currently supported and upcoming EOL dates via the Tomcat project page or from OpenLogic's Tomcat resource hub.
We encourage our customers to patch regularly and plan ahead for upgrades. Keeping up-to-date with patches requires some diligence, but the effort is worth it to keep your Tomcat protected from CVEs and other bugs. Planning maintenance windows so you have time to patch and test is highly encouraged.
Support
Get SLA-Backed Technical Support and LTS For Tomcat
OpenLogic Enterprise Architects can tackle your toughest Tomcat challenges, from upgrades to performance tuning and more. With 24/7 support 365 days a year, you can rest easy knowing your deployment is in good hands.
Additional Resources
- Webinar - Taming Tomcat 11: Tips and Tricks for Java Teams
- Blog - Troubleshooting Tomcat Errors
- Guide - Apache Tomcat Overview
- Blog - 5 Tomcat Performance Best Practices
- Blog - How to Install Tomcat
- Blog - Application Logging in Tomcat
- Blog - Tomcat vs. TomEE
- Blog - Beginner's Guide to Tomcat Memory Configuration