CVE-2022-25762

Response mix-up with WebSocket concurrent send and close

Description

If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a pooled object to be placed in the pool twice. This could result in subsequent connections using the same object concurrently which could result in data being returned to the wrong use and/or other errors.

Category

8.6
CVSS
Severity: High
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.32%
Vendor Advisory apache.org
Affected: Apache Software Foundation Apache Tomcat
Published at:
Updated at:

References

Link Tags
https://lists.apache.org/thread/6ckmjfb1k61dyzkto9vm2k5jvt4o7w7c mailing list vendor advisory
https://www.oracle.com/security-alerts/cpujul2022.html third party advisory patch
https://security.netapp.com/advisory/ntap-20220629-0003/ third party advisory

Frequently Asked Questions

What is the severity of CVE-2022-25762?
CVE-2022-25762 has been scored as a high severity vulnerability.
How to fix CVE-2022-25762?
To fix CVE-2022-25762, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2022-25762 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2022-25762 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-25762?
CVE-2022-25762 affects Apache Software Foundation Apache Tomcat.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.