CVE-2022-25762

Name: CVE-2022-25762
Creator: NVD / NIST
Published: 2022-05-13T08:15:06.843+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 8.6/10EPSS 7.54%

Last modified Jun 17, 2026

CVE-2022-25762 is a high-severity vulnerability rated 8.6/10 on the CVSS scale. If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a pooled object to be placed in the pool twice. EPSS estimates a 7.54% chance of exploitation in the next 30 days.

Description

If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a pooled object to be placed in the pool twice. This could result in subsequent connections using the same object concurrently which could result in data being returned to the wrong use and/or other errors.

Metrics

CVSS 3.1

8.6/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

EPSS Probability

7.54%

93.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Apache	Tomcat	>= 8.5.0, < 8.5.76
Apache	Tomcat	>= 9.0.0, < 9.0.21
Oracle	Agile Plm	9.3.6

References

https://lists.apache.org/thread/6ckmjfb1k61dyzkto9vm2k5jvt4o7w7cMailing List, Vendor Advisory
https://security.netapp.com/advisory/ntap-20220629-0003/Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
https://lists.apache.org/thread/6ckmjfb1k61dyzkto9vm2k5jvt4o7w7cMailing List, Vendor Advisory
https://security.netapp.com/advisory/ntap-20220629-0003/Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory

Timeline

Published: May 13, 2022
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2022-25762?

How severe is CVE-2022-25762?

CVE-2022-25762 has a CVSS score of 8.6/10 (HIGH severity). The EPSS model estimates a 7.54% probability of exploitation in the next 30 days.

How do I fix CVE-2022-25762?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-25762?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST