CVE-2025-52434
Apache Tomcat: APR/Native Connector crash leading to DoSConcurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections. This issue affects Apache Tomcat: from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 9.0.107, which fixes the issue.
We have discovered 8,549 live websites that are affected by CVE-2025-52434.
Affected Software
| Product |  Apache Tomcat |
| Category | Web Servers |
| Vulnerable Domains | 8,549 live websites (92% of Apache Tomcat install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 325 versions ( 87% of all versions) |
Common Weakness Enumeration
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')Details
- Published - Jul 10, 2025
- Updated - Nov 4, 2025
Credits
- Nacl (finder)
- 12SqweR (finder)
- WHOAMI (finder)
- yyzmoon (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-52434 United States | 2,641 websites |
 China | 1,936 websites |
 Germany | 440 websites |
 Hong Kong | 277 websites |
 Italy | 229 websites |
 France | 221 websites |
 Brazil | 191 websites |
 Korea, South | 180 websites |
 Spain | 169 websites |
Website Distribution by TLD
Number of websites using CVE-2025-52434| .com | 3,689 websites |
| .net | 446 websites |
| .cn | 422 websites |
| .de | 330 websites |
| .org | 277 websites |
| .edu | 213 websites |
| .it | 194 websites |
| .com.br | 192 websites |
| .com.cn | 154 websites |
| .fr | 108 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-52434
Top websites that are affected by CVE-2025-52434. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ***.***.edu | United States | *** | |
| **************.com |  Canada | **,*** | |
| **.***.*****.*****.***.com | United States | **,*** | |
| *****.********.com | United States | **,*** | |
| **.******.com | United States | **,*** | |
| ****.***.uz |  Uzbekistan | **,*** | |
| ****.******.com | United States | **,*** | |
| ****.******.com | United States | **,*** | |
| ****.******.com | United States | **,*** | |
| ****.***.hk | Hong Kong | **,*** |
FAQ
CVE-2025-52434 is Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in Apache Tomcat
A total of 8,549 websites have been identified as vulnerable to CVE-2025-52434, based on global website indexing conducted by WebTechSurvey.
The Apache Tomcat is affected by the CVE-2025-52434 vulnerability.
Apache Tomcat versions up to and including 10.0.27 are vulnerable to CVE-2025-52434.