
CVE-2024-41169 – Apache Zeppelin: raft directory listing and file read
https://notcve.org/view.php?id=CVE-2024-41169
12 Jul 2025 — The attacker can use the raft server protocol in an unauthenticated way. The attacker can see the server's resources, including directories and files. This issue affects Apache Zeppelin: from 0.10.1 up to 0.12.0. Users are recommended to upgrade to version 0.12.0, which fixes the issue by removing the Cluster Interpreter. The attacker can use the raft server protocol in an unauthenticated way. • https://github.com/apache/zeppelin/pull/4841 • CWE-664: Improper Control of a Resource Through its Lifetime •

CVE-2025-48924 – Apache Commons Lang, Apache Commons Lang: ClassUtils.getClass(...) can throw a StackOverflowError on very long inputs
https://notcve.org/view.php?id=CVE-2025-48924
11 Jul 2025 — Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. Users are recommended to upgrade to version 3.18.0, which fixes the issue. • https://lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1 • CWE-674: Uncontrolled Recursion •

CVE-2025-53506 – Apache Tomcat: DoS via excessive h2 streams at connection start
https://notcve.org/view.php?id=CVE-2025-53506
10 Jul 2025 — Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue. • https://lists.apache.org/thread/p09775q0rd185m6zz98krg0fp45j8kr0 • CWE-400: Uncontrolled Resource Consumption •

CVE-2025-52520 – Apache Tomcat: DoS via integer overflow in multipart file upload
https://notcve.org/view.php?id=CVE-2025-52520
10 Jul 2025 — For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size limits. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue. • https://lists.apache.org/thread/trqq01bbxw6c92zx69kx2mw2qgmfy0o5 • CWE-190: Integer Overflow or Wraparound •

CVE-2025-52434 – Apache Tomcat: APR/Native Connector crash leading to DoS
https://notcve.org/view.php?id=CVE-2025-52434
10 Jul 2025 — Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections. This issue affects Apache Tomcat: from 9.0.0.M1 through 9.0.106. Users are recommended to upgrade to version 9.0.107, which fixes the issue. • https://lists.apache.org/thread/gxgh65004f25y8519coth6w7vchww030 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •

CVE-2025-53020 – Apache HTTP Server: HTTP/2 DoS by Memory Increase
https://notcve.org/view.php?id=CVE-2025-53020
10 Jul 2025 — Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63. Users are recommended to upgrade to version 2.4.64, which fixes the issue. • https://httpd.apache.org/security/vulnerabilities_24.html • CWE-401: Missing Release of Memory after Effective Lifetime •

CVE-2025-49812 – Apache HTTP Server: mod_ssl TLS upgrade attack
https://notcve.org/view.php?id=CVE-2025-49812
10 Jul 2025 — In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade. • https://httpd.apache.org/security/vulnerabilities_24.html • CWE-287: Improper Authentication •

CVE-2025-49630 – Apache HTTP Server: mod_proxy_http2 denial of service
https://notcve.org/view.php?id=CVE-2025-49630
10 Jul 2025 — In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in mod_proxy_http2. Configurations affected are a reverse proxy is configured for an HTTP/2 backend, with ProxyPreserveHost set to "on". In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in mod_proxy_ht... • https://httpd.apache.org/security/vulnerabilities_24.html • CWE-617: Reachable Assertion •

CVE-2025-23048 – Apache HTTP Server: mod_ssl access control bypass with session resumption
https://notcve.org/view.php?id=CVE-2025-23048
10 Jul 2025 — In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. Configurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trusted client certificates (for example with a different SSLCACertificateFile/Path setting). In such a case, a client trusted to access one virtual host may be able to access another virtual host, if SSLStrictSNIVHos... • https://httpd.apache.org/security/vulnerabilities_24.html • CWE-284: Improper Access Control •

CVE-2024-43394 – Apache HTTP Server: SSRF on Windows due to UNC paths
https://notcve.org/view.php?id=CVE-2024-43394
10 Jul 2025 — Server-Side Request Forgery (SSRF) in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via mod_rewrite or apache expressions that pass unvalidated request input. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.63. Note: The Apache HTTP Server Project will be setting a higher bar for accepting vulnerability reports regarding SSRF via UNC paths. The server offers limited protection against administrators directing the server to open UNC paths. Windows se... • https://httpd.apache.org/security/vulnerabilities_24.html • CWE-918: Server-Side Request Forgery (SSRF) •