A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.

Affected Packages

Maven org.apache.tomcat:tomcat

Affected versions: 10.0.0-M1 (fixed in 10.0.0-M5)

Maven org.apache.tomcat:tomcat

Affected versions: 9.0.0.M1 (fixed in 9.0.35)

Maven org.apache.tomcat:tomcat

Affected versions: 8.5.0 (fixed in 8.5.55)

Related CVEs

CVE-2020-11996

Key Information

GHSA ID

GHSA-53hp-jpwq-2jgq

Published

February 9, 2022 11:01 PM

Last Modified

March 11, 2024 5:59 PM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

org.apache.tomcat:tomcat

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 16, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.