GHSA-m7jv-hq7h-mq7cHighCVSS 7.5

Infinite Loop in Apache Tomcat

Published
February 8, 2022
Last Modified
June 11, 2026

🔗 CVE IDs covered (1)

CVE-2020-13935

📋 Description

The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.

🎯 Affected products12

  • maven/org.apache.tomcat:tomcat:>= 10.0.0-M1, < 10.0.0-M7
  • maven/org.apache.tomcat:tomcat:>= 9.0.0.M1, < 9.0.37
  • maven/org.apache.tomcat:tomcat:>= 8.5.0, < 8.5.57
  • maven/org.apache.tomcat:tomcat:>= 7.0.27, < 7.0.105
  • maven/org.apache.tomcat.embed:tomcat-embed-websocket:>= 7.0.27, < 7.0.105
  • maven/org.apache.tomcat.embed:tomcat-embed-websocket:>= 8.5.0, < 8.5.57
  • maven/org.apache.tomcat.embed:tomcat-embed-websocket:>= 9.0.0.M1, < 9.0.37
  • maven/org.apache.tomcat.embed:tomcat-embed-websocket:>= 10.0.0-M1, < 10.0.0-M7
  • maven/org.apache.tomcat:tomcat-websocket:>= 10.0.0-M1, < 10.0.0-M7
  • maven/org.apache.tomcat:tomcat-websocket:>= 9.0.0.M1, < 9.0.37
  • maven/org.apache.tomcat:tomcat-websocket:>= 8.5.0, < 8.5.57
  • maven/org.apache.tomcat:tomcat-websocket:>= 7.0.27, < 7.0.105

🔗 References (28)