Visit NES for Apache Tomcat Home Page
NES for Apache Tomcat Release Notes
Comprehensive release notes and changelog for NES for Apache Tomcat, including security patches, bug fixes, and feature updates across all supported versions.
59 Patched Vulnerabilities
VEX Statements
Apache Tomcat 8.5.x
8.5.105 (NES) - Apr 13, 2026
Notes
- This release includes both maven packages and binaries. The binary packages for this release are available at
https://registry.nes.herodevs.com/bin/org.apache.tomcat/tomcat-release/8.5.100-tomcat-8.5.105/tomcat-nes-v8.5.105.zip.
Bug Fixes
This release patches the following:
- Add validation of chunk extensions.
- This fixes a Low Severity HTTP Request Smuggling vulnerability CVE-2026-24880
- Fix slash handling for path parameters.
- This fixes a Low Severity URL Redirect/Open Redirect vulnerability CVE-2026-25854
- Add support for new algorithms provided by JPA providers.
- This fixes a High Severity Cryptographic Weakness vulnerability CVE-2026-29146
- Fix case sensitive handling of the protocol host name.
- This fixes a Medium Severity Authorization Bypass vulnerability CVE-2026-32990
- Note that this fix is a continuation of the fix for CVE-2025-66614 that was found to be incomplete.
- Expand access log escaping.
- This fixes a Low Severity Content Spoofing vulnerability CVE-2026-34483
- Better error handling.
- This fixes a High Severity Incorrectly Configured Access Control vulnerability CVE-2026-34486
- Note that this fix is a continuation of the fix for CVE-2026-29146 that was found to have an error that allowed the EncryptInterceptor to be bypassed.
8.5.104 (NES) - February 24, 2026
Notes
- This release includes both maven packages and binaries. The binary packages for this release are available at
https://registry.nes.herodevs.com/bin/org.apache.tomcat/tomcat-release/8.5.100-tomcat-8.5.104/tomcat-nes-v8.5.104.zip.
- This release includes both maven packages and binaries. The binary packages for this release are available at
Bug Fixes
This release patches the following:
- Add protocol host name and SNI host name matching; Add strictSNI attribute on the Connector to control it; Add support for NIO2; Add support for APR.
- This fixes a Medium Severity Improper Input Validation vulnerability CVE-2025-66614
- HTTP/0.9 now only allows GET
- This fixes a Low Severity Improper Input Validation vulnerability CVE-2026-24733
8.5.103 (NES) - November 3, 2025
Notes
- This release includes a compatibility fix for a deadlock that can occur when Tomcat is used with Spring Boot 1.5.
- This release includes both maven packages and binaries. The binary packages for this release are available at
https://registry.nes.herodevs.com/bin/org.apache.tomcat/tomcat-release/8.5.100-tomcat-8.5.103/tomcat-nes-v8.5.103.zip.
Bug Fixes
This release patches the following:
- Improve the locking strategy for StandardServer.services
- This fixes a potential deadlock that was introduced in Tomcat 8.5.99 that broke compatibility with Spring Boot 1.5. OSS fixed the issue in 9.x but never backported the fix to 8.5. With this release, Tomcat will work with Spring Boot 1.5 again.
- Fix a couple of issues with QSA/QSD handling and associated tests
- This fixes a High Severity Path Traversal vulnerability CVE-2025-55752
- Add escaping to logging output
- This fixes a High Severity Command Injection vulnerability CVE-2025-55754
- Explicitly clean up after failed multi-part upload
- This fixes a Low Severity Denial of Service vulnerability CVE-2025-61795
8.5.102 (NES) - July 23, 2025
Notes
- This release includes both maven packages and binaries. The binary packages for this release are available at
https://registry.nes.herodevs.com/bin/org.apache.tomcat/tomcat-release/8.5.100-tomcat-8.5.102/tomcat-nes-v8.5.102.zip.
Bug Fixes
This release patches the following:
- Improve stability of APR/native connector.
- This fixes a High Severity Denial of Service vulnerability CVE-2025-52434
- Align size tracking for multipart requests with FileUpload's use of long.
- This fixes a High Severity Denial of Service vulnerability CVE-2025-52520
- Apply the initial HTTP/2 connection limits earlier.
- This fixes a High Severity Denial of Service vulnerability CVE-2025-53506
Full Version: 8.5.100-tomcat-8.5.102
8.5.101 (NES) - July 10, 2025
Notes
- This release originates from the open‑source Apache Tomcat project forked by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds.
- This release includes both maven packages and binaries. The binary packages for this release are available at
https://registry.nes.herodevs.com/bin/org.apache.tomcat/tomcat-release/8.5.100-tomcat-8.5.101/tomcat-nes-v8.5.101.zip.
Bug Fixes
- Make counting of active streams more robust
- This fixes a High Severity Denial of Service vulnerability CVE-2024-34750
- Add support for re-keying with TLS 1.3
- This fixes a High Severity Denial of Service vulnerability CVE-2024-38286
- Fix inconsistent resource metadata with current GET and PUT/DELETE
- This fixes a High Severity Remote Code Execution vulnerability CVE-2024-50379
- If the Jakarta Authentication fails with an exception, set a 500 status
- This fixes a Critical Severity Authorization Bypass vulnerability CVE-2024-52316
- Fix Uncontrolled Resource Consumption vulnerability in the examples web application provided with Apache Tomcat leads to denial of service.
- This fixes a Medium Severity Denial of Service vulnerability CVE-2024-54677
- Automate protection for CVE-2024-56337
- This fixes a High Severity Remote Code Execution vulnerability CVE-2024-56337
- Enhance lifecycle of temporary files used by partial PUT
- This fixes a Critical Severity Remote Code Execution vulnerability CVE-2025-24813
- Fix Apache Tomcat Denial of Service via invalid HTTP priority header
- This fixes a High Severity Denial of Service vulnerability CVE-2025-31650
- Fix Apache Tomcat Rewrite rule bypass
- This fixes a Critical Severity Authorization Bypass vulnerability CVE-2025-31651
- Refactor CGI servlet to access resources via WebResources and Use WebResource API to differentiate files and directories
- This fixes a High Severity Authorization Bypass vulnerability CVE-2025-46701
- Fix Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload.
- This fixes a High Severity Denial of Service vulnerability CVE-2025-48976
- Fix Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.
- This fixes a High Severity Denial of Service vulnerability CVE-2025-48988
- Use the full path when calling icacls.exe
- This fixes a High Severity Untrusted Search Path vulnerability CVE-2025-49124
- Expand checks for webAppMount
- This fixes a High Severity Authentication Bypass vulnerability CVE-2025-49125
Full Version: 8.5.100-tomcat-8.5.101