Skip to main content

Security Advisory: Apache Tomcat CVE-2025-53506 and Xerox DocuShare

Updated

 

Summary:  Xerox assessed DocuShare for Apache Tomcat CVE-2025-53506 and determined that standard DocuShare deployments are not exposed because the issue requires HTTP/2 behavior that is not enabled in the shipped Tomcat configuration.

 

Applies To

DocuShare ReleaseGuidance
DocuShare 7.5No action required for the shipped configuration.
DocuShare 7.6No action required for the shipped configuration.
DocuShare 7.7No action required for the shipped configuration.
DocuShare 8.0No action required for the shipped configuration.

 

Overview

CVE-2025-53506 is an Apache Tomcat uncontrolled resource consumption issue involving an HTTP/2 client that does not acknowledge the initial settings frame that reduces maximum concurrent streams.

Xerox reviewed the relevant Tomcat connector behavior and determined that the required HTTP/2 path is not enabled in the standard DocuShare deployment.

What the Vulnerability Requires

The exploit path requires HTTP/2 support to be active on the Tomcat connector.

  • Tomcat in an affected version range on the 9.0.x.
  • HTTP/2 enabled for the Tomcat connector handling customer traffic.
  • A client path that can hold Tomcat resources by avoiding acknowledgement of the initial settings frame.

DocuShare Assessment

Assessment ItemFinding
Tomcat feature requiredHTTP/2 request handling
DocuShare shipped configurationHTTP/2 not enabled
Customer guidanceStandard DocuShare deployments are not exposed

 

Important:  If your organization has enabled HTTP/2 in a customized Tomcat deployment, review that change with Xerox Support because the standard Xerox configuration is not the relevant model in that case.

 

What You Should Do

  • No action is required for the Xerox-supplied Tomcat configuration.
  • If you have enabled HTTP/2 in a custom deployment, review your connector settings and Tomcat level.
  • If your customized environment depends on the affected HTTP/2 feature set, coordinate with Xerox Support before making Tomcat changes outside the supported DocuShare patch path.

Related articles