Skip to content

fix(security): upgrade embedded Tomcat to 9.0.86 to remediate CVE-2024-24549 HTTP/2 DoS#45

Draft
pagarwal-dev with Copilot wants to merge 2 commits into
mainfrom
copilot/update-tomcat-http2-vulnerability
Draft

fix(security): upgrade embedded Tomcat to 9.0.86 to remediate CVE-2024-24549 HTTP/2 DoS#45
pagarwal-dev with Copilot wants to merge 2 commits into
mainfrom
copilot/update-tomcat-http2-vulnerability

Conversation

Copilot AI commented Apr 21, 2026

Copy link
Copy Markdown
Contributor

CVE-2024-24549 allows an attacker to trigger resource exhaustion via malformed HTTP/2 headers against Tomcat < 9.0.86, potentially causing service unavailability. The project was pinned to Tomcat 9.0.58 via Spring Boot 2.5.10.

Changes

  • build.gradle.kts — pins extra["tomcat.version"] = "9.0.86", overriding the Spring Boot BOM for all three tomcat-embed-* components (core / el / websocket: 9.0.58 → 9.0.86)

  • application.properties (new) — explicitly enables HTTP/2 and caps header size at 8 KB:

    server.http2.enabled=true
    server.max-http-header-size=8192
  • TomcatHttp2Config.java (new) — @Configuration bean that registers Http2Protocol on the embedded connector with hardened limits not exposed via Spring Boot properties:

    Http2Protocol http2Protocol = new Http2Protocol();
    http2Protocol.setMaxConcurrentStreams(200);
    http2Protocol.setMaxHeaderSize(8192);
    http2Protocol.setMaxHeaderCount(100);
    protocol.addUpgradeProtocol(http2Protocol);

    These ensure malformed/oversized HTTP/2 headers are rejected at the protocol level before reaching application code.

Copilot AI changed the title [WIP] Upgrade Tomcat HTTP/2 implementation to fix DoS vulnerability fix(security): upgrade embedded Tomcat to 9.0.86 to remediate CVE-2024-24549 HTTP/2 DoS Apr 21, 2026
Copilot AI requested a review from pagarwal-dev April 21, 2026 05:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Security] [MEDIUM] Apache Tomcat Denial of Service due to improper input validation vulnerability for HTTP/2 requests

2 participants