Apache Tomcat 8.5.47 released

Apache Tomcat 8

The Apache Tomcat® software is an open source implementation of the Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket technologies. The Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket specifications are developed under the Java Community Process.

The Apache Tomcat software is developed in an open and participatory environment and released under the Apache License version 2. The Apache Tomcat project is intended to be a collaboration of the best-of-breed developers from around the world. We invite you to participate in this open development project. To learn more about getting involved, click here.

Apache Tomcat software powers numerous large-scale, mission-critical web applications across a diverse range of industries and organizations. Some of these users and their stories are listed on the PoweredBy wiki page.

Apache Tomcat, Tomcat, Apache, the Apache feather, and the Apache Tomcat project logo are trademarks of the Apache Software Foundation.

Changelog Apache Tomcat 8.5.47


  • Fix:  Use URL safe base 64 encoding rather than standard base 64 encoding when generating or parsing the HTTP2-Settings header as part of an HTTP upgrade to h2c as required by RFC 7540. (markt)
  • Fix:  63765: NIO2 should try to unwrap after TLS handshake to avoid edge cases. (remm)
  • Fix:  63766: Ensure Processor objects are recycled when processing an HTTP upgrade connection that terminates before processing switches to the Processor for the upgraded protocol. (markt)


  • Fix:  63781: When performing various checks related to the visibility of classes, fields an methods in the EL implementation, also check that the containing modeul has been exported. (markt)

Web Socket

  • Fix:  63753: Ensure that the Host header in a Web Socket HTTP upgrade request only contains a port if a non-default port is being used. (markt)
  • Fix:  When running on Java 9 and above, don’t attempt to instantiate WebSocket Endpoints found in modules that are not exported. (markt)

Web Applications

  • Docs:  Add Javadoc for the Common Annotations API implementation. (markt)


  • Fix:  When connections are validated without an explicit validation query, ensure that any transactions opened by the validation process are committed. Patch provided by Pascal Davoust. (markt)


  • Code:  Deprecate org.apache.tomcat.util.compat.TLS. Its functionality was only used for unit tests in org.apache.tomcat.util.net.TesterSupport and has been moved there. (rjung)
  • Fix:  63759: When installing Tomcat with the Windows installer, grant sufficient privileges to enable the uninstaller to execute when user account control is active. (markt)
  • Add:  Use a build property to define the minimum supported Java version and use that build property to reduce the number of edits required to update the minimum supported Java version. (markt)
  • Update:  63767: Update to Commons Daemon 1.2.2. This corrects a regression in Commons Daemon 1.2.0 and 1.2.1 that caused the Windows Service to crash on start when running on an operating system that had not been fully updated. (markt)