The issue arises in Apache Tomcat Native and Tomcat's FFM port when processing OCSP responses. The code accepts a response without completing verification or freshness checks, which allows a certificate revocation to be bypassed. An attacker could supply a forged or stale OCSP response to cause Tomcat to treat a revoked certificate as valid, enabling continued use of a revoked certificate in TLS handshakes. The vulnerability stems from improper input validation (CWE‑20) and improper certificate validation (CWE‑295). This undermines the integrity of the TLS layer, making it possible for an adversary to establish a secure channel with a compromised or revoked server certificate, potentially facilitating man‑in‑the‑middle attacks or other credential misuse.

Affected products include Apache Tomcat Native versions 1.3.0‑1.3.4 and 2.0.0‑2.0.11, and Apache Tomcat from 11.0.0‑M1 through 11.0.17, 10.1.0‑M7 through 10.1.51, and 9.0.83 through 9.0.114. Earlier EOL native versions 1.1.23‑1.1.34 and 1.2.0‑1.2.39 are also vulnerable, but older EOL releases are not affected.

The CVSS v3.1 score is 7.4, indicating a high severity. The EPSS score is less than 1 %, suggesting a low probability of exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog. Potential attackers would need to trigger Tomcat’s OCSP validation path, which typically occurs during TLS handshakes; therefore an attacker could exploit the flaw from a remote network if the application accepts client connections or connects to an external OCSP responder. No public exploit is currently known, but the low EPSS does not eliminate the risk, especially for high‑value deployments that rely on strict revocation checking.