CVE-2020-13935

HIGH NUCLEI

Apache Tomcat 7.0.27-7.0.104, 8.5.0-8.5.56, 9.0.0.M1-9.0.36, 10.0.0-M1-M6 DoS via WebSocket Frame Payload Length

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2020-13935. PoCs published by RedTeamPentesting, aabbcc19191. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC exploits CVE-2020-13935, a WebSocket vulnerability in Apache Tomcat that causes high CPU usage due to improper handling of malformed WebSocket frames with all length field bits set to 1. It sends multiple invalid WebSocket messages to trigger the bug.

Description

The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.

Exploits (2)

nomisec WORKING POC 169 stars

by RedTeamPentesting · poc

https://github.com/RedTeamPentesting/CVE-2020-13935

View Code ZIP pw:eip

This PoC exploits CVE-2020-13935, a WebSocket vulnerability in Apache Tomcat that causes high CPU usage due to improper handling of malformed WebSocket frames with all length field bits set to 1. It sends multiple invalid WebSocket messages to trigger the bug.

Classification

Working Poc 100%

Attack Type

Dos

Complexity

Trivial

Reliability

Reliable

Target: Apache Tomcat (10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56, 8.0.1 to 8.0.53, 7.0.27 to 7.0.104)

No auth needed

Prerequisites: Network access to a vulnerable Apache Tomcat WebSocket endpoint

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by aabbcc19191 · poc

https://github.com/aabbcc19191/CVE-2020-13935

View Code ZIP pw:eip

This PoC exploits CVE-2020-13935, a WebSocket vulnerability in Apache Tomcat causing high CPU usage by sending malformed WebSocket messages with all length field bits set to 1. The exploit continuously sends these messages to trigger the DoS condition.

Classification

Working Poc 95%

Attack Type

Dos

Complexity

Trivial

Reliability

Reliable

Target: Apache Tomcat (10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56, 8.0.1 to 8.0.53, 7.0.27 to 7.0.104)

No auth needed

Prerequisites: Network access to the target WebSocket endpoint

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Apache Tomcat WebSocket Frame Payload Length Validation Denial of Service

HIGHby sttlr

Shodan: html:"Apache Tomcat"

References (17)

Core 17

Core References

Mailing List, Release Notes, Vendor Advisory x_refsource_misc

https://lists.apache.org/thread.html/rd48c72bd3255bda87564d4da3791517c074d94f8a701f93b85752651%40%3Cannounce.tomcat.apache.org%3E

Third Party Advisory vendor-advisory x_refsource_debian

https://www.debian.org/security/2020/dsa-4727

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

https://lists.debian.org/debian-lts-announce/2020/07/msg00017.html

Mailing List, Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00084.html

Mailing List, Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00088.html

Third Party Advisory vendor-advisory x_refsource_ubuntu

https://usn.ubuntu.com/4448-1/

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpuoct2020.html

Third Party Advisory x_refsource_confirm

https://security.netapp.com/advisory/ntap-20200724-0003/

Third Party Advisory x_refsource_confirm

https://kc.mcafee.com/corporate/index?page=content&id=SB10332

Third Party Advisory vendor-advisory x_refsource_ubuntu

https://usn.ubuntu.com/4596-1/

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/r4e5d3c09f4dd2923191e972408b40fb8b42dbff0bc7904d44b651e50%40%3Cusers.tomcat.apache.org%3E

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpujan2021.html

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpuApr2021.html

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com//security-alerts/cpujul2021.html

Not Applicable, Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpuoct2021.html

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpujan2022.html

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpuapr2022.html

Scores

CVSS v3 7.5

EPSS 0.8755

EPSS Percentile 99.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-835

Status published

Products (11)

apache/tomcat 9.0.0 milestone1 (27 CPE variants)

apache/tomcat 10.0.0 milestone1 (6 CPE variants)

apache/tomcat 7.0.27 - 7.0.104

canonical/ubuntu_linux 16.04

canonical/ubuntu_linux 20.04

debian/debian_linux 9.0

debian/debian_linux 10.0

mcafee/epolicy_orchestrator 5.9.0

mcafee/epolicy_orchestrator 5.9.1

mcafee/epolicy_orchestrator 5.10.0 (9 CPE variants)

... and 1 more

Published Jul 14, 2020

Tracked Since Feb 18, 2026