FixVibe
覆盖FixVibehigh

Apache Tomcat Sensitive Information Disclosure (CVE-2021-25122)

Apache Tomcat h2c request handling in affected 8.5.x, 9.0.x, and 10.0.x release lines can mix request headers and limited body data between users. Upgrade to 8.5.63, 9.0.43, 10.0.2, or newer for the release line in use.

CVE-2021-25122GHSA-j39c-c8hj-x4j3CWE-200

Impact

CVE-2021-25122 is an Apache Tomcat h2c request mix-up advisory. Apache and NVD describe affected Tomcat versions where new h2c connection handling could duplicate request headers and a limited amount of request body data from one request to another, so one user could receive data associated with another user's request [S2][S3][S4][S5].

Root Cause

The issue affects Tomcat h2c request handling in released 8.5.x, 9.0.x, and 10.0.x lines. Apache lists released affected ranges as 8.5.0 through 8.5.61, 9.0.0.M1 through 9.0.41, and 10.0.0-M1 through 10.0.0, with fixed releases 8.5.63, 9.0.43, and 10.0.2 after failed release-candidate fixes were not published as the fixed release [S2][S3][S4]. GitHub's package advisory marks the corresponding Maven package ranges below those fixed releases as affected for org.apache.tomcat.embed:tomcat-embed-core [S1].

Covered by FixVibe

FixVibe covers this in authorized GitHub repo scans by reporting Maven and Gradle dependency evidence for Tomcat embedded-core or Coyote versions associated with CVE-2021-25122. The finding is a version-based advisory: FixVibe does not run Tomcat, send h2c upgrade requests, capture traffic, prove request mix-up behavior, or confirm that the affected dependency is the production runtime.

Remediation

Upgrade Tomcat to 8.5.63, 9.0.43, 10.0.2, or newer for the release line in use [S1][S2][S3][S4]. Align direct Tomcat artifacts, Spring Boot-managed versions, Tomcat BOMs, Gradle constraints, parent POMs, and container base images; rebuild and redeploy the actual WAR, JAR, image, or external Tomcat server. Verify dependency resolution with mvn dependency:tree -Dincludes=org.apache.tomcat,org.apache.tomcat.embed or the Gradle equivalent and use normal application smoke tests. Do not use h2c request mix-up reproduction or traffic capture as routine remediation verification.

Apache Tomcat Sensitive Information Disclosure (CVE-2021-25122) — FixVibe research · FixVibe