I got an error like 'EOL/Obsolete Software: Apache Tomcat 8.5 Detected.' What can I do?

This means your application is running Apache Tomcat 8.5, which has reached end-of-life and no longer receives security updates. NES for Apache Tomcat provides a drop-in replacement to keep your application secure, compliant, and fully supported. Talk to our sales team to explore your options.

Does HeroDevs have an SLA for NES for Apache Tomcat?

Yes. Our response times vary based on the severity of the issue. Security-related and application-breaking issues are our top priority and will be resolved immediately (same day if possible). We can provide our SLA for your team to review upon request.

What Apache Tomcat versions does NES support?

NES for Apache Tomcat supports version 8.5. We provide ongoing support and patches to keep your applications secure and operational.

Does NES for Apache Tomcat help with compliance?

NES for Apache Tomcat helps maintain compliance by providing security patches and updates, even for older versions. Our enterprise-grade SLA supports standards like HIPAA, SOC-2, PCI DSS, and more.

Why do I need NES for Apache Tomcat?

Using an unsupported version of Apache Tomcat exposes your applications to security vulnerabilities and compliance risks. NES for Apache Tomcat allows you to stay on your current version securely until you're ready to upgrade.

How does licensing work?

When you purchase Never-Ending Support, you acquire a commercial license for the support services. Our pricing model is based on the number of users who will be committing code to the project repo. Users are unnamed and transferable across team members.

What happens if we do nothing now that our Tomcat version is end-of-life?

Without security patches, your Tomcat applications face increasing vulnerabilities in servlet processing, JSP execution, and connector handling. Critical vulnerabilities are being actively exploited in regions including the U.S., Japan, India, South Korea, and Mexico.

How are Spring applications affected by Tomcat vulnerabilities?

Spring Boot applications may be affected if they use features like the default servlet or file-based session persistence. Vulnerabilities in Tomcat can compromise Spring applications even if their code is secure. NES protects the underlying servlet container.

How does NES for Apache Tomcat compare to upgrading to newer Tomcat versions?

Upgrading typically takes 3–6 months and risks breaking configurations or integrations. NES offers immediate security and compliance coverage, giving you time to plan strategic upgrades without disruption.

Secure drop-in replacements for Tomcat® version 8.5

Never-Ending Support for Apache Tomcat

Name: NES for Apache Tomcat
Brand: HeroDevs
Rating: 5 (30 reviews)

Legacy Apache Tomcat versions still function after support ends — but that's not good enough for internal SLAs, CVE disclosures, and security audits.

Never-Ending Support (NES) for Apache Tomcat keeps you compliant, secure, and audit-ready without an unplanned migration or risky patchwork.

Get Pricing

Talk to our Experts

IMPORTANT

Get NES for Apache Tomcat now to stay protected from CVE-2025-55754, CVE-2025-61795, and CVE-2025-55752

Patch CVEs, Meet Internal SLAs, Pass Audits — in Minutes.

NES for Apache Tomcat

is a secure drop-in replacement for

Apache Tomcat

CVE Protection

0 Security Issues Fixed in NES for Apache Tomcat
(and always looking for more)

By purchasing HeroDevs’ Never-Ending Support for Apache Tomcat, you ensure that your Apache Tomcat applications stay secure and mitigate these vulnerabilities. As more CVEs are discovered, you can rest easy knowing HeroDevs will fix them.

If you’re currently using Apache Tomcat 8.5.x in your application’s tech stack, your application is vulnerable to the CVEs listed below.

Switch to Never-Ending Support for Apache Tomcat in minutes to immediately mitigate these vulnerabilities.

Severity

ID

Technology

Libraries Affected

Category

Version(s) Affected

Published Date

Low

CVE-2026-24733

Apache Tomcat

Improper Input Validation (4.16)

>=8.5.0 <=8.5.100, >=9.0.0.M1 <9.0.113, >=10.1.0-M1 <10.1.50, >=11.0.0-M1 <11.0.15

Mar 6, 2026

Medium

CVE-2025-66614

Apache Tomcat

Improper Input Validation (4.16)

>=8.5.0 <=8.5.100, >=9.0.0.M1 <9.0.113, >=10.1.0-M1 <10.1.50, >=11.0.0-M1 <=11.0.15

Mar 6, 2026

High

CVE-2025-55754

Apache Tomcat

Command Injection

>=8.5.60 <=8.5.100, >=9.0.40 <9.0.109, >=10.1.0-M1 <10.1.45, >=11.0.0-M1 <11.0.11

Nov 7, 2025

Medium

CVE-2025-61795

Apache Tomcat

Denial of Service

>=8.5.0 <=8.5.100, >=9.0.0.M1 <9.0.110, >=10.1.0-M1 <10.1.47, >=11.0.0-M1 <11.0.12

Nov 7, 2025

High

CVE-2025-55752

Apache Tomcat

Path Traversal

>=8.5.6 <=8.5.100, >=9.0.0.M11 <9.0.109, >=10.1.0-M1 <10.1.45, >=11.0.0-M1 <11.0.11

Nov 7, 2025

High

CVE-2025-46701

Apache Tomcat

Path Traversal

>= 8.5.0 <= 8.5.100, >=9.0.0.M1 <9.0.105, >=10.1.0-M1 <10.1.41, >=11.0.0-M1 <11.0.7

Aug 4, 2025

Critical

CVE-2025-31651

Apache Tomcat

Command Injection

>= 8.5.0 <= 8.5.100, >=9.0.76 <9.0.104, >=10.1.10 <10.1.40, >=11.0.0-M2 <11.0.6

Aug 4, 2025

Critical

CVE-2025-24813

Apache Tomcat

Remote Code Execution

>= 8.5.0 <= 8.5.100, >=9.0.0.M1 <9.0.99, >=10.1.0-M1 <10.1.35, >=11.0.0-M1 <11.0.3

Jul 30, 2025

Medium

CVE-2025-53506

Apache Tomcat

Denial of Service

>= 8.5.0 <= 8.5.100, >=9.0.0.M1 <9.0.107, >=10.1.0-M1 <10.1.43, >=11.0.0-M1 <11.0.9

Jul 30, 2025

Medium

CVE-2025-52520

Apache Tomcat

Denial of Service

>= 8.5.0 <= 8.5.100, >=9.0.0.M1 <9.0.107, >=10.1.0-M1 <10.1.43, >=11.0.0-M1 <11.0.9

Jul 30, 2025

Medium

CVE-2025-52434

Apache Tomcat

Denial of Service

>= 8.5.0 <= 8.5.100, >=9.0.0.M1 <9.0.107

Jul 30, 2025

Medium

CVE-2025-49125

Apache Tomcat

Authorization Bypass

>= 8.5.0 <= 8.5.100, >=9.0.0.M1 <9.0.106, >=10.1.0-M1 <10.1.42, >=11.0.0-M1 <11.0.8

Jul 30, 2025

High

CVE-2025-49124

Apache Tomcat

Path Traversal

>= 8.5.44 <= 8.5.100, >=9.0.23 <9.0.106, >=10.1.0 <10.1.42, >=11.0.0-M1 <11.0.8

Jul 30, 2025

High

CVE-2025-48988

Apache Tomcat

Denial of Service

>= 8.5.0 <= 8.5.100, >=9.0.0.M1 <9.0.106, >=10.1.0-M1 <10.1.42, >=11.0.0-M1 <11.0.8

Jul 30, 2025

High

CVE-2025-31650

Apache Tomcat

Denial of Service

>= 8.5.90 <= 8.5.100, >=9.0.76 <9.0.104, >=10.1.10 <10.1.40, >=11.0.0-M2 <11.0.6

Jul 30, 2025

High

CVE-2024-56337

Apache Tomcat

Remote Code Execution

>= 8.5.0 <= 8.5.100, >=9.0.0.M1 <9.0.98, >=10.1.0-M1 <10.1.34, >=11.0.0-M1 <11.0.2

May 28, 2025

Medium

CVE-2024-54677

Apache Tomcat

Denial of Service

>= 8.5.0 <= 8.5.100, >=9.0.0.M1 <9.0.98, >=10.1.0-M1 <10.1.34, >=11.0.0-M1 <11.0.2

May 28, 2025

Medium

CVE-2024-52317

Apache Tomcat

Information Exposure

>=9.0.92 <9.0.96, >=10.1.27 <10.1.31, >=11.0.0-M23 <11.0.0

May 28, 2025

Critical

CVE-2024-52316

Apache Tomcat

Authorization Bypass

>= 8.5.0 <= 8.5.100, <9.0.96, >=10.1.0-M1 <10.1.30, >=11.0.0-M1 <11.0.1

May 28, 2025

High

CVE-2024-50379

Apache Tomcat

Remote Code Execution

>= 8.5.0 <= 8.5.100, >=9.0.0.M1 <9.0.98, >=10.1.0-M1 <10.1.34, >=11.0.0-M1 <11.0.2

May 28, 2025

High

CVE-2024-38286

Apache Tomcat

Denial of Service

>= 8.5.35 <= 8.5.100, >=9.0.13 <9.0.90, >=10.1.0-M1 <10.1.25, >=11.0.0-M1 <11.0.0.M21

May 28, 2025

High

CVE-2024-34750

Apache Tomcat

Denial of Service

>= 8.5.0 <= 8.5.100, >=9.0.0.M1 <9.0.90, >=10.1.0-M1 <10.1.25, >=11.0.0-M1 <11.0.0-M21

May 28, 2025

For more details on CVEs found in end-of-life software, visit our vulnerability directory.

Vulnerability Directory

Report A Vulnerability

Critical Challenges We Solve

Evolving Security Threats

Recent vulnerabilities can target servlet processing and can lead to remote code execution. NES delivers timely patches for these emerging threats that would otherwise remain unaddressed in end-of-life Tomcat versions.

Spring Dependencies

Spring Boot applications can be particularly vulnerable when running on outdated Tomcat versions, creating compound security risks. NES addresses vulnerabilities at the servlet container level, protecting your Spring applications from underlying threats.

Compliance Violations

Running unsupported software increasingly results in audit findings and regulatory penalties. NES helps maintain compliance with SOC 2, PCI DSS, HIPAA, and FedRAMP by providing ongoing security updates and documentation.

Custom Configuration Preservation

Years of tuning and customization can make Tomcat migrations risky. NES secures your existing implementation without requiring changes to your carefully crafted configurations.

Who Relies on NES for Apache Tomcat

Financial Services

Maintaining secure banking platforms and payment processing systems

Healthcare Organizations

Ensuring HIPAA-compliant patient portals and claims systems

Government Agencies

Supporting mission-critical citizen service applications

Retail & E-commerce

Preserving stable inventory and order management systems

Manufacturing

Maintaining reliable supply chain and production applications

What is Never-Ending Support?

Security Fixes

A new version of NES for Apache Tomcat will be released each time we find, validate, and fix a security issue.

Drop-In Compatibility

A direct replacement for your framework—no migrations, no rewrites, just ongoing support.

SLA Compliance

HeroDevs provides SLAs that ensure compliance by providing incident response and remediation in accordance with industry-standard regulations, including SOC 2, FedRAMP, PCI, and HIPAA.

Learn more.

Team of Experts

NES for Apache Tomcat is built by dedicated senior-level Java and security engineers.

Easy to Install

Our simple drop-in replacement means all you have to do is update your Maven/Gradle files and rebuild your project. No code changes or find & replace required.

Intellectual Property Protection

NES for Apache Tomcat is not only secure; HeroDevs also offers enterprise-level protection for all products.

Learn more.

Why Choose HeroDevs for Apache Tomcat?

Apache Tomcat is integral to enterprises in e-commerce, finance, media, and more due to its scalability, lightweight design, and robust Java support. However, open vulnerabilities demonstrate the need for continuous security updates.

With HeroDevs' expertise in Java frameworks and security engineering, organizations can confidently deploy scalable, secure web applications without the operational burden of managing vulnerabilities. Additionally, HeroDevs helps businesses adhere to strict compliance requirements by ensuring that their software remains up-to-date with the latest security patches and meets regulatory standards like SOC 2, PCI DSS, HIPAA, and FedRAMP.

Support

Frequently Asked Questions

Below are common questions our customers have. Of course, we’re happy to meet with you and answer these and other questions you might have.

Apache®, Apache Tomcat, Tomcat®, and the Tomcat logo are either registered trademarks or trademarks of the Apache Software Foundation in the United States and/or other countries.

Related Products

If you're leveraging this technology, chances are you're also using complementary systems that face similar end-of-life (EOL) challenges.

Explore our related NES products that offer proactive, comprehensive support for your entire tech stack to ensure continuity, security, and innovation across all your essential technologies.

View All Products

Apache Grails

CometD

Jetty

Hibernate

Apache Spark

Apache Camel

Apache Cocoon

Apache Tapestry

Apache Solr & Lucene

Struts

Spring