CVE-2020-13935

The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.

Published: 2020-07-14 Last update: 2026-06-17 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2020-13935 is rated Moderate Risk (60.3/100): CVSS High severity, with high exploitation likelihood (EPSS 87.55%, 100th percentile). EPSS ranks this CVE among the most likely to be exploited in the near term. High exploitation likelihood—assess exposure and prioritize remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2020-13935

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 92.16% 87.55% -4.60%
2 2026-05-20 91.75% 92.16% +0.41%
3 2026-03-28 91.75%

Full EPSS history (62 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2020-13935

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
7.5 3.1 HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 3.9 3.6 [email protected]
5.0 2.0 MEDIUM
AV:N/AC:L/Au:N/C:N/I:N/A:P Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:L)
Exploitation conditions are straightforward and predictable.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:N)
No confidentiality impact.
Integrity impact (I:N)
No integrity impact.
Availability impact (A:P)
Partial availability impact.
 10.0 2.9 [email protected]

Weakness enumeration for CVE-2020-13935

GitHub Security Advisory for CVE-2020-13935

OS Trackers for CVE-2020-13935

vendor priority summary link
debian not yet assigned CVE-2020-13935 not yet assigned priority: Debian including 1 source packages (tomcat9), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. https://security-tracker.debian.org/tracker/CVE-2020-13935
redhat high https://access.redhat.com/security/cve/CVE-2020-13935
suse high CVE-2020-13935 severity important: SUSE including 397 source package names (5.0.0-beta1.2.122:tomcat-9.0.36-3.6.1, 5.0.0-beta1.2.122:tomcat-el-3_0-api-9.0.36-3.6.1, …), 751 product×package rows across 77 product lines (Container containers/apache-tomcat, Container suse/manager/5.0/x86_64/server, … (77 product lines)): Fixed 484, Known Affected 231, Known Not Affected 36. https://www.suse.com/security/cve/CVE-2020-13935/
ubuntu medium CVE-2020-13935 medium priority: Ubuntu including 4 source packages (tomcat6, tomcat7, tomcat8, tomcat9), 68 status rows across 17 suites (bionic, eoan, focal, groovy, hirsute, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): DNE 43, not-affected 14, needed 5, released 5, ignored 1. https://ubuntu.com/security/CVE-2020-13935

Affected software / configurations for CVE-2020-13935

Vendor Product Version Raw CPE
apache tomcat >= 7.0.27, <= 7.0.104 cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
apache tomcat >= 8.5.0, <= 8.5.56 cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
apache tomcat >= 9.0.1, <= 9.0.36 cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
apache tomcat 9.0.0 cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*
apache tomcat 9.0.0 cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*
apache tomcat 9.0.0 cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*
apache tomcat 9.0.0 cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*
apache tomcat 9.0.0 cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*
apache tomcat 9.0.0 cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*
apache tomcat 9.0.0 cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*
apache tomcat 9.0.0 cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*
apache tomcat 9.0.0 cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*
apache tomcat 9.0.0 cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*
apache tomcat 9.0.0 cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*
apache tomcat 9.0.0 cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:*
apache tomcat 9.0.0 cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*
apache tomcat 9.0.0 cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:*
apache tomcat 9.0.0 cpe:2.3:a:apache:tomcat:9.0.0:milestone22:*:*:*:*:*:*
apache tomcat 9.0.0 cpe:2.3:a:apache:tomcat:9.0.0:milestone23:*:*:*:*:*:*
apache tomcat 9.0.0 cpe:2.3:a:apache:tomcat:9.0.0:milestone24:*:*:*:*:*:*
apache tomcat 9.0.0 cpe:2.3:a:apache:tomcat:9.0.0:milestone25:*:*:*:*:*:*
apache tomcat 9.0.0 cpe:2.3:a:apache:tomcat:9.0.0:milestone26:*:*:*:*:*:*
apache tomcat 9.0.0 cpe:2.3:a:apache:tomcat:9.0.0:milestone27:*:*:*:*:*:*
apache tomcat 9.0.0 cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*
apache tomcat 9.0.0 cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*
apache tomcat 9.0.0 cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*
apache tomcat 9.0.0 cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*
apache tomcat 9.0.0 cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*
apache tomcat 9.0.0 cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*
apache tomcat 9.0.0 cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*
apache tomcat 10.0.0 cpe:2.3:a:apache:tomcat:10.0.0:milestone1:*:*:*:*:*:*
apache tomcat 10.0.0 cpe:2.3:a:apache:tomcat:10.0.0:milestone2:*:*:*:*:*:*
apache tomcat 10.0.0 cpe:2.3:a:apache:tomcat:10.0.0:milestone3:*:*:*:*:*:*
apache tomcat 10.0.0 cpe:2.3:a:apache:tomcat:10.0.0:milestone4:*:*:*:*:*:*
apache tomcat 10.0.0 cpe:2.3:a:apache:tomcat:10.0.0:milestone5:*:*:*:*:*:*
apache tomcat 10.0.0 cpe:2.3:a:apache:tomcat:10.0.0:milestone6:*:*:*:*:*:*
debian debian_linux 9.0 cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
debian debian_linux 10.0 cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
netapp oncommand_system_manager >= 3.0.0, <= 3.1.3 cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:*
opensuse leap 15.1 cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
opensuse leap 15.2 cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*
canonical ubuntu_linux 16.04 cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
canonical ubuntu_linux 20.04 cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*
mcafee epolicy_orchestrator 5.9.0 cpe:2.3:a:mcafee:epolicy_orchestrator:5.9.0:*:*:*:*:*:*:*
mcafee epolicy_orchestrator 5.9.1 cpe:2.3:a:mcafee:epolicy_orchestrator:5.9.1:*:*:*:*:*:*:*
mcafee epolicy_orchestrator 5.10.0 cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:-:*:*:*:*:*:*
mcafee epolicy_orchestrator 5.10.0 cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_1:*:*:*:*:*:*
mcafee epolicy_orchestrator 5.10.0 cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_2:*:*:*:*:*:*
mcafee epolicy_orchestrator 5.10.0 cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_3:*:*:*:*:*:*
mcafee epolicy_orchestrator 5.10.0 cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_4:*:*:*:*:*:*
mcafee epolicy_orchestrator 5.10.0 cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_5:*:*:*:*:*:*
mcafee epolicy_orchestrator 5.10.0 cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_6:*:*:*:*:*:*
mcafee epolicy_orchestrator 5.10.0 cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_7:*:*:*:*:*:*
mcafee epolicy_orchestrator 5.10.0 cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_8:*:*:*:*:*:*
oracle agile_engineering_data_management 6.2.1.0 cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*
oracle agile_plm 9.3.3 cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:*
oracle agile_plm 9.3.5 cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:*
oracle agile_plm 9.3.6 cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*
oracle blockchain_platform < 21.1.2 cpe:2.3:a:oracle:blockchain_platform:*:*:*:*:*:*:*:*
oracle commerce_guided_search 11.3.2 cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*
oracle communications_cloud_native_core_policy 1.14.0 cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*
oracle communications_instant_messaging_server 10.0.1.5.0 cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.5.0:*:*:*:*:*:*:*
oracle fmw_platform 12.2.1.3.0 cpe:2.3:a:oracle:fmw_platform:12.2.1.3.0:*:*:*:*:*:*:*
oracle fmw_platform 12.2.1.4.0 cpe:2.3:a:oracle:fmw_platform:12.2.1.4.0:*:*:*:*:*:*:*
oracle instantis_enterprisetrack 17.1 cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*
oracle instantis_enterprisetrack 17.2 cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*
oracle instantis_enterprisetrack 17.3 cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*
oracle managed_file_transfer 12.2.1.3.0 cpe:2.3:a:oracle:managed_file_transfer:12.2.1.3.0:*:*:*:*:*:*:*
oracle managed_file_transfer 12.2.1.4.0 cpe:2.3:a:oracle:managed_file_transfer:12.2.1.4.0:*:*:*:*:*:*:*
oracle mysql_enterprise_monitor <= 8.0.21 cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*
oracle siebel_ui_framework <= 20.12 cpe:2.3:a:oracle:siebel_ui_framework:*:*:*:*:*:*:*:*
oracle workload_manager 12.2.0.1 cpe:2.3:a:oracle:workload_manager:12.2.0.1:*:*:*:*:*:*:*
oracle workload_manager 18c cpe:2.3:a:oracle:workload_manager:18c:*:*:*:*:*:*:*
oracle workload_manager 19c cpe:2.3:a:oracle:workload_manager:19c:*:*:*:*:*:*:*

References for CVE-2020-13935

URL Tags
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00084.html Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00088.html Mailing List Third Party Advisory
https://kc.mcafee.com/corporate/index?page=content&id=SB10332 Third Party Advisory
https://lists.apache.org/thread.html/r4e5d3c09f4dd2923191e972408b40fb8b42dbff0bc7904d44b651e50%40%3Cusers.tomcat.apache.org%3E
https://lists.apache.org/thread.html/rd48c72bd3255bda87564d4da3791517c074d94f8a701f93b85752651%40%3Cannounce.tomcat.apache.org%3E Mailing List Release Notes Vendor Advisory
https://lists.debian.org/debian-lts-announce/2020/07/msg00017.html Mailing List Third Party Advisory
https://security.netapp.com/advisory/ntap-20200724-0003/ Third Party Advisory
https://usn.ubuntu.com/4448-1/ Third Party Advisory
https://usn.ubuntu.com/4596-1/ Third Party Advisory
https://www.debian.org/security/2020/dsa-4727 Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html Not Applicable Third Party Advisory
cvelogic Threat Intelligence