Apache Tomcat Coyote Vulnerability Let Attackers Trigger DoS Attack

A newly disclosed flaw in Apache Tomcat’s Coyote engine—tracked as CVE-2025-53506—has surfaced in the latest round of HTTP/2 security advisories. First noted in the National Vulnerability Database five days ago, the weakness stems from Coyote’s failure to enforce a hard cap on concurrent streams when an HTTP/2 client never acknowledges the server’s initialSETTINGSframe. By repeatedly initiating streams that are never closed, aremote attackercan exhaust the server’s thread pool and force the container into a prolonged denial-of-service state, even though confidentiality and integrity remain unaffected. Because the exploit rides ordinary TCP port 443 traffic, firewalls see nothing suspicious; attack complexity remains low, and no credentials are required. GitHub analysts subsequentlytracedthe issue to a race condition introduced during the refactor that added dynamic stream limits, publishing proof-of-concept traffic captures that reliably crash unpatched builds. The vulnerability affect...