Impact
CVE-2021-25122 is an Apache Tomcat h2c request mix-up advisory. Apache and NVD describe affected Tomcat versions where new h2c connection handling could duplicate request headers and a limited amount of request body data from one request to another, so one user could receive data associated with another user's request [S2][S3][S4][S5].
Root Cause
The issue affects Tomcat h2c request handling in released 8.5.x, 9.0.x, and 10.0.x lines. Apache lists released affected ranges as 8.5.0 through 8.5.61, 9.0.0.M1 through 9.0.41, and 10.0.0-M1 through 10.0.0, with fixed releases 8.5.63, 9.0.43, and 10.0.2 after failed release-candidate fixes were not published as the fixed release [S2][S3][S4]. GitHub's package advisory marks the corresponding Maven package ranges below those fixed releases as affected for org.apache.tomcat.embed:tomcat-embed-core [S1].
Covered by FixVibe
FixVibe covers this in authorized GitHub repo scans by reporting Maven and Gradle dependency evidence for Tomcat embedded-core or Coyote versions associated with CVE-2021-25122. The finding is a version-based advisory: FixVibe does not run Tomcat, send h2c upgrade requests, capture traffic, prove request mix-up behavior, or confirm that the affected dependency is the production runtime.
Remediation
Upgrade Tomcat to 8.5.63, 9.0.43, 10.0.2, or newer for the release line in use [S1][S2][S3][S4]. Align direct Tomcat artifacts, Spring Boot-managed versions, Tomcat BOMs, Gradle constraints, parent POMs, and container base images; rebuild and redeploy the actual WAR, JAR, image, or external Tomcat server. Verify dependency resolution with mvn dependency:tree -Dincludes=org.apache.tomcat,org.apache.tomcat.embed or the Gradle equivalent and use normal application smoke tests. Do not use h2c request mix-up reproduction or traffic capture as routine remediation verification.
