Security Advisory: Apache Tomcat CVE-2025-52434 and Xerox DocuShare
| Summary: Xerox assessed DocuShare for Apache Tomcat CVE-2025-52434 and determined that standard DocuShare deployments are not exposed because this issue is tied to HTTP/2 operation with the APR/Native connector, and DocuShare does not use HTTP/2 in the shipped configuration. |
Applies To
| DocuShare Release | Guidance |
| DocuShare 7.5 | No action required for the shipped configuration. |
| DocuShare 7.6 | No action required for the shipped configuration. |
| DocuShare 7.7 | No action required for the shipped configuration. |
| DocuShare 8.0 | No action required for the shipped configuration. |
Overview
CVE-2025-52434 is an Apache Tomcat race condition affecting deployments that use the APR/Native connector and HTTP/2. The issue is especially noticeable with client-initiated closes of HTTP/2 connections.
Xerox DocuShare reviewed DocuShare usage for those Tomcat features and determined that the standard product configuration does not expose the required HTTP/2 path.
What the Vulnerability Requires
The issue depends on Tomcat features that are not part of the standard DocuShare deployment model.
- Tomcat in an affected version range on the 9.0.x branch.
- HTTP/2 enabled on the Tomcat connector.
- Use of the APR/Native connector path associated with this vulnerability.
DocuShare Assessment
| Assessment Item | Finding |
| Tomcat feature required | HTTP/2 with APR/Native connector behavior |
| DocuShare shipped configuration | HTTP/2 not enabled |
| Customer guidance | Not exposed in the standard Xerox configuration |
| Important: If your organization has enabled HTTP/2 or introduced custom connector settings beyond the Xerox-supplied Tomcat configuration, review those changes with Xerox Support because the standard DocuShare deployment model is not the relevant baseline in that case. |
What You Should Do
- No action is required for a standard DocuShare deployment using the Xerox-supplied Tomcat configuration.
- If you have enabled HTTP/2 or custom native connector behavior, review your Tomcat level and configuration.
- If your environment relies on the affected feature set through custom Tomcat changes, coordinate with Xerox Support before making changes outside the supported DocuShare patch path.