HIGH · CVSS 7.5
CVE-2024-24549 — Apache Tomcat HTTP/2 DoS
An HTTP/2 rapid-reset variant specific to Tomcat's connector caused unbounded CPU consumption, allowing a small attacker to saturate a Tomcat-fronted application.
Affects
- Tomcat 11.0.0-M1 through 11.0.0-M16
- Tomcat 10.1.0-M1 through 10.1.18
What an attacker does
Similar to CVE-2023-44487 but Tomcat-specific: rapid HTTP/2 stream setup + cancel cycles pinned CPU.
How to detect
Check Tomcat version via `server-info` (if enabled) or deployment metadata.
How to fix
Upgrade Tomcat to 11.0.0-M17+ / 10.1.19+ / 9.0.86+.
How Securie catches it
Securie's Java runtime detector flags vulnerable Tomcat.