Tracking Tomcat CVEs: How to Protect Your App From Exploits

Apache Tomcat is one of the most popular web servers and servlet containers in the world for enterprise Java applications. The last State of Open Source Report showed that 58% of organizations using Java were also deploying Tomcat. Unfortunately, widespread adoption also makes it a lucrative target for cyberattacks. When a new Tomcat CVE is uncovered, security teams are racing against the clock to patch their systems before bad actors can exploit the flaw.

For organizations relying on Tomcat, staying ahead of these vulnerabilities is a critical business requirement. A single unpatched instance can serve as an entry point for ransomware, data exfiltration, or debilitating service outages. Patching Tomcat means upgrading to a minor version where the vulnerability has been fixed. Keeping up with the cadence of these security updates can be challenging, especially for complex production environments running on older versions like Tomcat 8.5.

This blog explores the current landscape of Tomcat security, analyzing several recent Tomcat vulnerabilities that must be addressed. We’ll also discuss how long-term support can protect your infrastructure if you can't immediately upgrade to a newer Tomcat version.

Common Tomcat Vulnerability Types

Like any complex web server, Apache Tomcat is susceptible to various categories of security flaws. Understanding these categories helps teams prioritize their defensive strategies.

Remote Code Execution (RCE)

RCE is arguably the most critical type of vulnerability. It allows an attacker to execute arbitrary commands on the server. If a Tomcat instance is running with high privileges, an RCE exploit can lead to a total system compromise. These flaws often arise from unsafe deserialization of untrusted data or issues within the JSP (JavaServer Pages) compilation process.

Denial of Service (DoS)

DoS attacks aim to make an application unavailable to its intended users. In the context of Tomcat, these vulnerabilities often exploit how the server handles HTTP requests, particularly in newer protocols like HTTP/2 or during TLS handshakes. By sending specially crafted packets or flooding the server with malformed requests, attackers can exhaust system memory or CPU resources, crashing the service.

Information Disclosure

These vulnerabilities allow unauthorized users to access sensitive data. This could include configuration files, source code, or session IDs. Information disclosure often occurs due to directory traversal bugs (where an attacker navigates outside the intended web root) or improper handling of error messages that leak stack traces.

Request Smuggling

Request smuggling occurs when the frontend server (like a load balancer) and the backend server (Tomcat) interpret HTTP requests differently. This desynchronization can allow attackers to bypass security controls, poison web caches, or steal credentials.

Tomcat Vulnerabilities to Watch Out For

Recent security disclosures have highlighted specific risks within the Tomcat ecosystem. Security teams should audit their environments for the following CVEs, which represent significant risks to stability and integrity.

Note: All of these CVEs have been patched in Tomcat LTS from OpenLogic. 

CVE-2024-50379

Severity: High / Critical
Vulnerability Type: Remote Code Execution (RCE) via TOCTOU

This CVE involves a race condition in the DefaultServlet, where concurrent GET and PUT/DELETE requests for the same resource could result in inconsistent file metadata. Under specific misconfigurations, this inconsistency could allow a resource to be accessed during upload or deletion. 

This is particularly dangerous because it bypasses standard file upload restrictions. If exploited, it grants the attacker code execution capabilities on the server, potentially leading to data theft or lateral movement within the network. The fix ensures resource metadata remains consistent across concurrent read and write operations.

CVE-2024-34750

Severity: High
Vulnerability Type: Denial of Service (DoS)

This Improper Handling of Exceptional Conditions and Uncontrolled Resource Consumption vulnerability in Tomcat impacts the handling of HTTP/2 requests. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to miscounting active HTTP/2 streams, which in turn led to the use of an incorrect infinite timeout, allowing connections to remain open that should have been closed.

To exploit, an attacker could send a sequence of malformed HTTP/2 headers or streams that the server fails to process efficiently. This causes the Tomcat instance to consume excessive memory or CPU cycles, eventually becoming unresponsive and resulting in Denial of Service (DoS). For e-commerce platforms or mission-critical APIs, this downtime translates directly to lost revenue.

CVE-2024-38286

Severity: Medium / High
Vulnerability Type: Denial of Service (DoS) via TLS

This flaw resides in how Tomcat processes TLS (Transport Layer Security) handshakes. When an application encounters an exception during the TLS handshake process — such as when processing a client certificate or negotiating cipher suites — it may not release allocated memory resources correctly. 

This vector is subtle because it targets the secure connection layer itself, often bypassing application-level firewalls that are looking for malicious payloads rather than handshake anomalies.The fix for this flaw supports TLS 1.3 client-initiated re-keying and imposes internal handshake queue limits, closing a path where a malicious TLS handshake could trigger an uncontrolled memory allocation and lead to an OutOfMemoryError.

CVE-2025-24813

Severity: Critical
Vulnerability Type: Remote Code Execution (RCE) via Path/Upload Handling

A critical path-equivalence vulnerability in the DefaultServlet that could allow remote code execution or unauthorized file modification via partial PUT and session persistence exploitation, enabling attackers to write malicious content to server storage. The exploit involves sending a crafted PUT request to upload a malicious payload followed by a GET using a manipulated session cookie, triggering deserialization of the attacker’s payload. Because this occurs at the servlet container level, it can lead to full server compromise and persistent access when successful.

CVE-2024-56337

Severity: High / Critical
Vulnerability Type: Race Condition (TOCTOU) Leading to Possible RCE

This vulnerability arises from a race condition that could lead to Remote Code Execution (RCE) under specific configurations, resulting from incomplete mitigation of CVE-2024-50379 (discussed above). Users running Tomcat on a case-insensitive file system with the default servlet write-enabled (the readonly initialization parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379, depending on which version of Java you are using with Tomcat: 

• Running on Java 8 or Java 11: The system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true). 
• Running on Java 17: The system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false). 
• Running on Java 21 and later: No further configuration is required (the system property and the problematic cache have been removed).

CVE-2024-52316

Severity: Medium
Vulnerability Type: Authentication Bypass (Unchecked Error Condition)

This CVE impacts Tomcat’s Jakarta Authentication (JASPIC) integration where a custom ServerAuthContext could throw an exception during authentication without an appropriate HTTP failure status, potentially allowing unauthorized access. The latest version of Tomcat now defensively handles such uncaught exceptions by treating them as authentication failures and ensuring a proper error response is sent (500, Internal Server Error), preventing request processing from continuing.

The Cost of a Tomcat CVE Exploit

Failing to address Tomcat vulnerabilities can lead to severe and long-lasting consequences including:

Data Breaches

According to industry reports, the average cost of a data breach is more than four million dollars. This figure includes regulatory fines (such as GDPR or CCPA penalties), legal fees, and the cost of forensic investigations. If an RCE vulnerability in Tomcat allows an attacker to access customer databases, the financial liability can be catastrophic.

Operational Disruption and Downtime

For businesses that rely on digital availability, uptime is money. A DoS attack exploiting a flaw like CVE-2024-34750 can take a service offline for hours or days. During this time, transactions stop, productivity halts, and Service Level Agreements (SLAs) are breached. The immediate revenue loss is compounded by the cost of emergency engineering resources required to restore service.

Reputation Damage

Trust is difficult to build and easy to lose. When a company suffers a public security incident, customer confidence erodes. Clients may take their business to competitors perceived as more secure. The long-term impact on brand reputation often outweighs the immediate financial costs of dealing with the breach itself.

How Tomcat LTS Can Help

The most direct way to mitigate these vulnerabilities is to upgrade to the latest supported version of Tomcat. However, for many enterprises, upgrading Tomcat may not be the fastest or simplest solution. 

Upgrading a core component like a web server often necessitates code changes, rigorous regression testing, and updates to the underlying Java Runtime Environment (JRE). This process can take weeks or months — time you don't have when a critical CVE is actively being exploited in the wild.

This is where Tomcat Long-Term Support (LTS) serves as a strategic bridge.

• Immediate Security Without Forced Upgrades: Tomcat LTS provide backported security patches for older, end-of-life (EOL) versions of Tomcat like 8.5. This means you can apply a fix for a critical CVE to your existing Tomcat instance without being forced to perform a major version upgrade. 
• Guaranteed Patches for Critical Vulnerabilities: Community support eventually ends. When it does, no new patches are released for that version, regardless of severity. Partnering with an LTS provider like OpenLogic guarantees patches for critical and high-severity vulnerabilities (CVSS 7.0+), ensuring that your legacy infrastructure remains secure against modern threats.
• Compliance Maintenance: For industries regulated by standards like PCI-DSS or HIPAA, running unsupported software is a compliance violation. LTS ensures that you remain compliant by demonstrating that your software stack is supported and receiving regular security updates, avoiding potential audit failures and fines.

Final Thoughts

Vulnerabilities in widely used software like Tomcat are inevitable. The discovery of new CVEs is a matter of "when," not "if." For organizations managing complex Java applications, the risk of running unpatched software far outweighs the cost of maintaining it.

Ignoring these threats is a gamble with high stakes. Whether through aggressive internal upgrade cycles or by partnering with an LTS provider to secure older versions, organizations must have a proactive strategy for vulnerability management. By securing your Tomcat instances against known exploits, you can protect your data, your revenue, and your reputation.

Additional Resources

• Blog - Tomcat Patching Best Practices
• Webinar - Taming Tomcat 11: Tips and Tricks for Java Teams
• Whitepaper - The Enterprise Guide to Apache Tomcat
• Blog - Troubleshooting Tomcat Errors
• Blog - Preparing for Your Next Tomcat Upgrade
• Guide - Apache Tomcat Overview