CVE-2024-23672

CVE-2024-23672: Apache Tomcat: WebSocket DoS with incomplete closing handshake

Vendor Apache Software Foundation

Product Apache Tomcat

Weakness CWE-459

Published March 13, 2024

Last update October 29, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.

Key dates

Disclosure timeline

March 13, 2024 CVE published

October 29, 2025 Record updated

Identifiers

CVE CVE-2024-23672

CWE CWE-459

Affected versions

Vendor Apache Software Foundation

Product Apache Tomcat

Affected ≥ 11.0.0-M1 and ≤ 11.0.0-M16

Vendor Apache Software Foundation

Product Apache Tomcat

Affected ≥ 10.1.0-M1 and ≤ 10.1.18

Vendor Apache Software Foundation

Product Apache Tomcat

Affected ≥ 9.0.0-M1 and ≤ 9.0.85

Vendor Apache Software Foundation

Product Apache Tomcat

Affected ≥ 8.5.0 and ≤ 8.5.98