Apache Tomcat WebSocket Frame Payload Length Validation Denial of Service Scanner

Apache Tomcat is a widely used open-source implementation of the Java Servlet, JavaServer Pages, and WebSocket technologies, developed by the Apache Software Foundation. It is commonly deployed to serve Java-based web applications in both development and production environments. Tomcat is favored for its simplicity, robustness, and extensive support by the Java community. It is often used by large enterprises, small businesses, and individual developers. Tomcat supports various components including servlets, JSPs, and WebSocket endpoints. The software is highly customizable and integrates well with major development frameworks.

The vulnerability occurs in Apache Tomcat’s WebSocket module, where incoming WebSocket frame payload lengths are not correctly validated. This flaw can cause the application to enter an infinite loop while processing malformed frames. A remote attacker can exploit this issue by sending a specially crafted WebSocket frame with an invalid payload length. If successful, this results in excessive CPU resource usage, effectively leading to a denial of service. The issue affects a broad range of Tomcat versions from 7.0.27 to 10.0.0-M6. The improper validation of payload lengths allows for simple yet highly effective disruption attacks.

The vulnerability lies in the `/examples/websocket/echoProgrammatic` WebSocket endpoint of Tomcat. The flaw is triggered by sending a WebSocket frame with a payload length set to an illegal value, specifically with the most significant bits set to 1. This triggers a bug in the WebSocket processing loop, causing the server to consume CPU endlessly. The frame is constructed with incorrect masking keys and an incomplete message body. Since the server does not correctly validate the frame structure, it fails to break the loop. This makes the attack easy to perform and hard to detect without proper monitoring.

If exploited, this vulnerability can severely affect the availability of web applications running on vulnerable Apache Tomcat servers. Targeted systems may experience high CPU usage, slow performance, or even complete downtime. In shared environments, this can also affect other tenants and lead to broader service degradation. The issue does not require authentication, increasing the attack surface. Prolonged exploitation may trigger infrastructure-level issues or invoke incident response procedures. The lack of immediate errors in logs can delay detection and resolution.