CVE-2022-25762

CVE-2022-25762: Response mix-up with WebSocket concurrent send and close

Vendor Apache Software Foundation
Product Apache Tomcat
Weakness CWE-404
Published May 13, 2022
Last update August 3, 2024

CVSS base score

What the vulnerability does

01Description

If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a pooled object to be placed in the pool twice. This could result in subsequent connections using the same object concurrently which could result in data being returned to the wrong use and/or other errors.

Key dates

02Disclosure timeline

May 13, 2022 CVE published
August 3, 2024 Record updated