Feb 06, 2024 · 4 Min read


Apache Tomcat HTTP Request Smuggling (Client- Side Desync)



CVE-2024-21733 is a security vulnerability affecting the Apache Tomcat web application server software. This vulnerability occurs in specific versions of Apache Tomcat, specifically versions 8.5.7 to 8.5.63 and versions 9.0.0-M11 to 9.0.43.

The vulnerability lies in the improper handling of incomplete POST requests sent to the Apache Tomcat server. When an incomplete POST request is delivered to the server, it generates a response containing data from a previous request made by another user, due to incorrect handling of the content length (Content-Length) of the POST request..

This vulnerability falls under the category of desynchronization attacks, exploiting errors in HTTP request handling by the server to create conditions where the client connection becomes desynchronized with the server. By exploiting this desynchronization, attackers can steal or manipulate sensitive data passing through the connection.

Users of Apache Tomcat affected by the mentioned versions above are advised to upgrade to the latest patched versions of Apache Tomcat, which are version 9.0.44 or newer, or version 8.5.64 or newer. This is the recommended mitigation step to protect systems from exploitation of this vulnerability.

Severity of CVE-2024-21733 is "MEDIUM" with Base Score: 5.3 MEDIUM



The CVE-2024-21733 vulnerability in Apache Tomcat affects systems running specific versions of the software. The affected systems include:

Affected Versions:

Apache Tomcat 9.0.0-M11 to 9.0.43

Apache Tomcat 8.5.7 to 8.5.63


Exploiting this vulnerability allows attackers to manipulate the connection between the victim's browser and the website hosted on Apache Tomcat. This can cause connection desynchronization, disrupting normal user access to the website.

• Sensitive Data Leakage: Due to connection desynchronization between the Apache Tomcat server and the victim's browser, there is an opportunity for attackers to take advantage and smuggle sensitive data from the connection. Sensitive data passing through the server or client connection can be compromised or stolen by attackers.

• Potential Misinformation: Because incomplete POST requests can trigger responses containing data from previous requests by other users, affected users may see irrelevant or misleading information in the response from the Apache Tomcat server.

The main impact of CVE-2024-21733 is the potential for connection desynchronization with websites running on Apache Tomcat, facilitating the smuggling of sensitive data from the connection by attackers. This has the potential to disrupt data integrity and confidentiality as well as user experience on the affected website.


Upgrade to Latest Version:

Apache Tomcat 9.0.44 or newer.

Apache Tomcat 8.5.64 or newer.