CVE-2025-53506: Apache Tomcat Coyote vulnerable to Denial of Service via excessive HTTP/2 streams

The vulnerability, CVE-2025-53506, allows a remote, unauthenticated attacker to cause a denial of service in Apache Tomcat. The root cause is an uncontrolled resource consumption issue in the Coyote HTTP/2 protocol implementation.

Upon establishing an HTTP/2 connection, the server sends a SETTINGS frame to the client, specifying connection-level parameters, most importantly MAX_CONCURRENT_STREAMS. The vulnerability existed because Tomcat would not enforce this limit until the client acknowledged the settings by sending a SETTINGS frame with the ACK flag. A malicious client could simply refuse to send this acknowledgement and proceed to open an arbitrary number of streams. Each stream consumes server resources (memory and threads), and by opening an excessive number, the client could exhaust these resources, leading to a Denial of Service.

The analysis of the patch commits reveals two key functions involved:

1. org.apache.coyote.http2.Http2UpgradeHandler.Http2UpgradeHandler(...): This constructor is the entry point for handling a new HTTP/2 connection. It is responsible for configuring the initial settings. The vulnerable code called localSettings.set(...) to establish the stream limit, but this call did not enforce the limit immediately.

2. org.apache.coyote.http2.ConnectionSettingsLocal.set(...): This method contained the flawed logic. It would place the new setting in a pending map, waiting for client acknowledgement before moving it to the current (enforced) settings map. An attacker could exploit this delay.

The fix involves adding a force parameter to the set methods. The Http2UpgradeHandler now calls set with force=true, which causes ConnectionSettingsLocal.set to apply the MAX_CONCURRENT_STREAMS limit to the current settings immediately, mitigating the DoS risk by ensuring the server enforces the limit regardless of client acknowledgement.