Redazione RHC : 19 July 2025 09:13
The Apache team recently fixed a denial-of-service (DoS) vulnerability classified as high severity. There’s a new inconvenient guest in data centers around the world. It’s called CVE-2025-53506 and it doesn’t make noise like ransomware, it doesn’t manifest itself with disturbing popups or spectacular thefts. No, this vulnerability prefers to act silently, surgically crashing Apache Tomcat servers, without requiring privileges, interaction, or complex exploits. A true low-cost logic bomb.
Fortunately, Apache acted quickly. On July 11, 2025, it released a patch for this bug classified as a high-severity Denial of Service (DoS), which specifically affects the implementation of HTTP/2 in the popular Java web server. Recorded Future’s Insikt Group team also raised the alarm, publishing a detailed analysis, confirming the absence of active exploits at the time of disclosure but recommending continued vigilance.
HTTP/2, the protocol created to speed up web communication, manages TLS connections through an exchange of initial “frames” between client and server, including the infamous SETTINGS. And here’s the problem: if the client doesn’t send the SETTINGS ACK, the Apache Tomcat server cannot enforce the limit on the maximum number of concurrent streams. Each stream is associated with a thread, allowing the attacker to simply open hundreds (or thousands) of connections, exhausting the thread pool and blocking the service, without breaching firewalls or generating anomalous traffic.
No privileges required. No user input. No Hollywood-style exploits. Just a clever abuse of the protocol’s intended behavior. This makes the attack:
The CVSS v4 score assigned by Recorded Future is 6.9, technically classified as “Medium”, but in practice the impact can be Critical, especially in containerized or microservice architectures where each block can have a cascading effect.
According to the Official Apache mailing list and the advisory on GitHub, vulnerable releases include:
The advice, As clear as ever: update immediately to Tomcat 11.0.9, 10.1.43, or 9.0.107, where the bug has been definitively fixed. The patches strengthen stream control and introduce fallback behaviors in the event of missing SETTINGS ACK.
Recorded Future’s analysis clarifies that no active attack campaigns have yet been observed exploiting this vulnerability. But beware: in the life cycle of a CVE, the period between disclosure and weaponization is often very short.
The cybercriminal community’s interest grows proportionally to the availability of public PoCs (Proof of Concept). And considering that the exploit is trivial to reproduce with a few Python scripts or HTTP/2 test harness tools, it’s likely that CVE-2025-53506 will find its way into malicious actors’ DoS toolkits within a few weeks—especially in hacktivist contexts or for targeted destructive attacks.
If you manage internet-exposed infrastructure (think portals, API gateways, RESTful backends), and have HTTP/2 enabled on Tomcat, act now. Possible actions:
The vulnerability is mapped as CWE-400 (Uncontrolled Resource Consumption), a timeless classic in resilience testing that periodically returns in new forms.
This case is yet another confirmation that security is not just a matter of exploits but also of design. When a protocol as widespread as HTTP/2 allows a DoS attack “by design” in the absence of specific controls, it’s clear that the infrastructure’s resilience depends on every single detail: timeouts, acknowledgments, stream limits. Every bit counts.
Thanks to Apache for the quick response. But now it’s up to those who manage, patch, monitor, and defend. And possibly… he sleeps peacefully.
Redazione