GHSA-g8pj-r55q-5c2v
GitHub Security Advisory
Apache Tomcat Incomplete Cleanup vulnerability
✓ GitHub Reviewed
MODERATE
Has CVE
Advisory Details
Incomplete Cleanup vulnerability in Apache Tomcat.
When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next. Older, EOL versions may also be affected.
Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.
Affected Packages
Maven
org.apache.tomcat:tomcat-coyote
Affected versions:
11.0.0-M1
(fixed in 11.0.0-M12)
Maven
org.apache.tomcat:tomcat-coyote
Affected versions:
10.1.0-M1
(fixed in 10.1.14)
Maven
org.apache.tomcat:tomcat
Affected versions:
9.0.0-M1
(fixed in 9.0.81)
Maven
org.apache.tomcat:tomcat
Affected versions:
8.5.0
(fixed in 8.5.94)
Maven
org.apache.tomcat.embed:tomcat-embed-core
Affected versions:
11.0.0-M1
(fixed in 11.0.0-M12)
Maven
org.apache.tomcat.embed:tomcat-embed-core
Affected versions:
10.1.0-M1
(fixed in 10.1.14)
Maven
org.apache.tomcat.embed:tomcat-embed-core
Affected versions:
9.0.0-M1
(fixed in 9.0.81)
Maven
org.apache.tomcat.embed:tomcat-embed-core
Affected versions:
8.5.0
(fixed in 8.5.94)
Related CVEs
Key Information
5.0
/10
Dataset
Last updated: September 10, 2025 6:31 AM
Data from GitHub Advisory Database. This information is provided for research and educational purposes.