FixVibe

// code / spotlight

Apache Tomcat h2c Request Mix-Up Advisory

Affected Tomcat h2c handling can put request data on the wrong response path.

The hook

Tomcat often reaches production through embedded servlet containers, Spring Boot-managed dependencies, platform BOMs, or container base images. CVE-2021-25122 is an h2c request mix-up advisory, so FixVibe treats a repo match as dependency evidence, not proof that the deployed service accepts HTTP/2 cleartext upgrade traffic or leaked request data.

How it works

The repo check looks for Tomcat embedded-core and Coyote Maven coordinates in Java build files. Exact declared versions produce the strongest signal; compatible manifest ranges are reported when they clearly allow affected 8.5.x, 9.0.x, or 10.0.x release lines. The finding stays scoped to dependency evidence and does not claim FixVibe sent h2c traffic.

The blast radius

If an affected Tomcat runtime is deployed with the vulnerable h2c path reachable, request headers and limited request body data can be mixed between users under the advisory conditions. A repo match should trigger dependency-tree review, artifact rebuild, connector review, and runtime verification before anyone treats it as confirmed production exposure.

// what fixvibe checks

What FixVibe checks

FixVibe repo scans look for high-confidence security patterns and dependency risk in source context. Reports identify the affected area and recommended fix. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.

Ironclad defenses

Upgrade the active Tomcat release line to 8.5.63, 9.0.43, 10.0.2, or newer. Update direct Tomcat artifacts, BOMs, Spring Boot-managed versions, Gradle constraints, or container base images as needed, then rebuild and redeploy the actual WAR, JAR, or image.

// run it on your own app

Keep shipping while FixVibe keeps watch.

FixVibe pressure-tests the public surface of your app the way an attacker would β€” no agent, no install, no card. We keep researching new vulnerability patterns and turn them into practical checks and paste-ready fixes for Cursor, Claude, and Copilot.

Source code
116
tests fired in this category
modules
76
dedicated source code checks
every scan
487+
tests across all categories
  • Free β€” no credit card, no install, no Slack ping
  • Just paste a URL β€” we crawl, probe, and report
  • Severity-graded findings, deduped to signal only
  • AI-ready prompts where code applies, plus operator steps for DNS/provider fixes
Run a free scan β†’

// latest checks Β· practical fixes Β· ship with confidence

Apache Tomcat h2c Request Mix-Up Advisory β€” Vulnerability Spotlight | FixVibe Β· FixVibe