Miggo Logo
Miggo Vulnerability Database
CVE-2025-52434

CVE-2025-52434: Apache Tomcat Utilities is vulnerable to resource exhaustion when using the APR/Native connector

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-52434
GHSA ID
GHSA-4j3c-42xv-3f84
EPSS Score
0.18863%
CWE
CWE-362
Published
7/10/2025
Updated
7/11/2025
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.tomcat:tomcat-utilmaven>= 9.0.0.M1, < 9.0.1079.0.107

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is a classic race condition (CWE-362) within the Apache Tomcat APR/Native connector, which is used for high-performance networking. The root cause is the lack of proper synchronization when accessing and modifying the state of a native socket, particularly during connection closing.

Multiple threads could interact with a socket wrapper (AprSocketWrapper) simultaneously. One thread (e.g., a connector thread reacting to a client-initiated close) could be closing the socket, while another thread (e.g., an application thread logging connection details) could be trying to read information like the remote address or port from that same socket.

Without synchronization, the thread reading socket information could access the underlying native socket pointer after it has been closed and deallocated by the other thread. This use-after-free condition in the native APR library can lead to memory corruption, segmentation faults (JVM crashes), or unpredictable behavior, which from the user's perspective, manifests as resource exhaustion or server instability.

The patch addresses this by introducing a comprehensive locking mechanism. A ReentrantLock is now used within the AprSocketWrapper to serialize access to the socket. The close() method and all methods that read socket information (populateRemoteAddr, populateRemoteHost, etc.) now acquire this lock before performing any operations on the socket. This ensures that closing the socket and accessing its properties are atomic operations, eliminating the race condition.

Vulnerable functions

org.apache.tomcat.util.net.AprEndpoint$AprSocketWrapper.close
java/org/apache/tomcat/util/net/AprEndpoint.java
The original implementation lacked synchronization, allowing a race condition when closing the socket. The patch introduces a new `close()` method that acquires a lock before proceeding with the close operation, ensuring that closing the socket is an atomic operation and preventing other threads from accessing the socket in an inconsistent state.
org.apache.tomcat.util.net.AprEndpoint$AprSocketWrapper.populateRemoteAddr
java/org/apache/tomcat/util/net/AprEndpoint.java
This function was vulnerable to a race condition because it accessed the socket to get the remote address without proper locking. Another thread could close the socket between the `isClosed()` check and the `getSocket()` call, leading to a crash or undefined behavior in the native code. The patch adds a lock around the entire operation.
org.apache.tomcat.util.net.AprEndpoint$AprSocketWrapper.populateRemoteHost
java/org/apache/tomcat/util/net/AprEndpoint.java
This function was vulnerable to a race condition because it accessed the socket to get the remote host without proper locking. Another thread could close the socket between the `isClosed()` check and the `getSocket()` call, leading to a crash or undefined behavior in the native code. The patch adds a lock around the entire operation.
org.apache.tomcat.util.net.AprEndpoint$AprSocketWrapper.populateRemotePort
java/org/apache/tomcat/util/net/AprEndpoint.java
This function was vulnerable to a race condition because it accessed the socket to get the remote port without proper locking. Another thread could close the socket between the `isClosed()` check and the `getSocket()` call, leading to a crash or undefined behavior in the native code. The patch adds a lock around the entire operation.
org.apache.tomcat.util.net.AprEndpoint.stopInternal
java/org/apache/tomcat/util/net/AprEndpoint.java
The `stopInternal` method, which is responsible for shutting down the endpoint, used an incorrect locking strategy when closing open connections. This could fail to prevent race conditions. The fix removes the flawed explicit locking and relies on the newly synchronized `close()` method of the `AprSocketWrapper` to handle thread safety correctly.

WAF Protection Rules

WAF Rule

*on*urr*nt *x**ution usin* S**r** R*sour** wit* Improp*r Syn**roniz*tion ('R*** *on*ition') vuln*r**ility in *p**** Tom**t w**n usin* t** *PR/N*tiv* *onn**tor. T*is w*s p*rti*ul*rly noti****l* wit* *li*nt initi*t** *los*s o* *TTP/* *onn**tions. T*is

Reasoning

T** vuln*r**ility is * *l*ssi* r*** *on*ition (*W*-***) wit*in t** *p**** Tom**t *PR/N*tiv* *onn**tor, w*i** is us** *or *i**-p*r*orm*n** n*tworkin*. T** root **us* is t** l**k o* prop*r syn**roniz*tion w**n ****ssin* *n* mo*i*yin* t** st*t* o* * n*t