CVE-2024-24549

HIGH

Apache Tomcat <11.0.0-M16, <10.1.18, <9.0.85, <=8.5.98 - DoS

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2024-24549. PoCs published by Abdurahmon3236, JFOZ1010.

AI-analyzed exploit summary This repository contains a functional Python script that demonstrates a Denial of Service (DoS) vulnerability in Apache Tomcat by sending a high volume of HTTP/2 requests with large headers to exhaust server resources.

Description

Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.

Exploits (2)

nomisec WORKING POC 9 stars

by Abdurahmon3236 · poc

https://github.com/Abdurahmon3236/CVE-2024-24549

View Code ZIP pw:eip

This repository contains a functional Python script that demonstrates a Denial of Service (DoS) vulnerability in Apache Tomcat by sending a high volume of HTTP/2 requests with large headers to exhaust server resources.

Classification

Working Poc 90%

Attack Type

Dos

Complexity

Moderate

Reliability

Reliable

Target: Apache Tomcat (versions 11.0.0-M1 through 11.0.0-M16, 10.1.0-M1 through 10.1.18, 9.0.0-M1 through 9.0.85, and 8.5.0 through 8.5.98)

No auth needed

Prerequisites: Network access to the target server · Python environment to run the script

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec WORKING POC 6 stars

by JFOZ1010 · poc

https://github.com/JFOZ1010/CVE-2024-24549

View Code ZIP pw:eip

This repository contains a functional Python-based DoS exploit for CVE-2024-24549 targeting Apache Tomcat 9.0.83. The exploit uses multi-threaded HTTP requests with large headers and dynamic payloads to overwhelm the server.

Classification

Working Poc 95%

Attack Type

Dos

Complexity

Moderate

Reliability

Reliable

Target: Apache Tomcat 9.0.83

No auth needed

Prerequisites: Network access to the target server · Python 3.8+ environment

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (6)

Core 6

Core References

Mailing List

http://www.openwall.com/lists/oss-security/2024/03/13/3

Mailing List, Third Party Advisory

https://lists.debian.org/debian-lts-announce/2024/04/msg00001.html

Third Party Advisory

https://lists.fedoraproject.org/archives/list/[email protected]/message/3UWIS5MMGYDZBLJYT674ZI5AWFHDZ46B/

Third Party Advisory

https://lists.fedoraproject.org/archives/list/[email protected]/message/736G4GPZWS2DSQO5WKXO3G6OMZKFEK55/

Third Party Advisory

https://security.netapp.com/advisory/ntap-20240402-0002/

Vendor Advisory vendor-advisory

https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg

Scores

CVSS v3 7.5

EPSS 0.6439

EPSS Percentile 98.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-20

Status published

Products (7)

apache/tomcat 11.0.0 milestone1 (16 CPE variants)

apache/tomcat 8.5.0 - 8.5.99

debian/debian_linux 10.0

fedoraproject/fedora 39

fedoraproject/fedora 40

org.apache.tomcat/tomcat-coyote 11.0.0-M1 - 11.0.0-M17Maven

org.apache.tomcat.embed/tomcat-embed-core 8.5.0 - 8.5.99Maven

Published Mar 13, 2024

Tracked Since Feb 18, 2026