Apache Tomcat Lifecycle Intelligence

Apache Tomcat End of Life —
Tomcat 9 EOL Dec 2025, Full Version Guide

Updated 2026-05-30 · endoflife.ai · 8 min read

Apache Tomcat is one of the most widely deployed Java servlet containers in the world. It powers enterprise applications, internal tools, and public-facing APIs across industries that have been running Java for decades. And because Tomcat deployments tend to be stable and rarely touched, end-of-life versions accumulate quietly in production. Tomcat 9 alone is running on tens of thousands of servers that will never receive another security patch.

This guide covers every Tomcat version's official end-of-life date, EOL Risk Score™, and what to do if you're running a version past end of support.

Complete Apache Tomcat EOL Schedule

Apache Tomcat follows a major-version release cycle tied to the Java EE / Jakarta EE specification. Each major version supports a specific servlet and JSP specification version. This means migrations between major versions often involve namespace and API changes, not just a simple version bump.

VersionServlet SpecEnd of LifeStatusEOL Risk Score™
Tomcat 73.0Mar 31, 2021EOL96
Tomcat 8.53.1Mar 31, 2024EOL88
Tomcat 94.0Dec 31, 2025EOL82
Tomcat 10.16.0 (Jakarta)Dec 31, 2026Warning45
Tomcat 116.1 (Jakarta)TBDSupported15
⚠ Tomcat 9 is EOL
Apache Tomcat 9 reached end of life on December 31, 2025. As of today, it has been unsupported for five months. No further security fixes, bug fixes, or CVE patches will be released. Every vulnerability disclosed from January 1, 2026 onward is permanently unpatched on Tomcat 9.
Running Apache Tomcat past end of life?
Extended-support vendors still ship security patches for EOL versions. We match you with the right provider for your stack — free, no obligation.
Get Apache Tomcat Support Options →

Tomcat 9 — End of Life December 31, 2025

Tomcat 9 was the last version to support the Java Servlet 4.0 / JSP 2.3 specification and the javax.* namespace. This is a critical distinction: Tomcat 10 and later use the Jakarta EE namespace (jakarta.*), which means the migration from Tomcat 9 to Tomcat 10 or 11 is not a drop-in upgrade. It requires code changes in any application that imports from javax.servlet.

This namespace break is the primary reason so many production deployments are still on Tomcat 9. Teams know the migration is coming but haven't prioritized it because the application "still works." It will keep working — until a CVE is disclosed that Tomcat 9 will never patch.

EOL Risk Score™
Tomcat 9 — Score: 82 Critical

Why Tomcat 9 deployments outlast their EOL date

The javax.* to jakarta.* namespace change in Jakarta EE 9 means that upgrading from Tomcat 9 to Tomcat 10+ requires modifying import statements across every class that uses the servlet API. For large applications with hundreds of classes, this can be a significant refactor. Tools like the Apache Tomcat Migration Tool for Jakarta EE can automate most of this, but the effort is real.

Tomcat 10.1 — EOL December 31, 2026

Tomcat 10.1 supports Jakarta Servlet 6.0 and is currently in active support until December 31, 2026. It uses the jakarta.* namespace, making it the bridge version for teams migrating from Tomcat 9. However, with less than 18 months of support remaining, new projects should target Tomcat 11 rather than 10.1.

Planning note
If you are migrating from Tomcat 9, migrating directly to Tomcat 11 rather than 10.1 gives you the longest runway. Tomcat 11 supports Jakarta Servlet 6.1 and has no defined EOL date yet. The namespace change is the same between 9→10 and 9→11 — so doing the migration once to reach the longest-supported version is the most efficient path.

Tomcat 11 — Current Supported Release

Apache Tomcat 11 is the current actively-developed release. It supports Jakarta Servlet 6.1, JSP 4.0, and WebSocket 2.2. No end-of-life date has been announced. This is the target for all new deployments and all migrations from Tomcat 9 and 10.

EOL Risk Score™
Tomcat 11 — Score: 15 Low · Actively Supported

CVE Blind Spot Risk for EOL Tomcat Versions

Tomcat has a well-documented CVE history. High-severity vulnerabilities are discovered regularly — HTTP/2 request smuggling, path traversal, deserialization issues, and session fixation bugs have all affected Tomcat in recent years. When a version reaches EOL, the Apache Tomcat project stops backporting security fixes to it.

The practical consequence: any CVE disclosed after December 31, 2025 that affects Tomcat 9 will never be patched in the official release. Tomcat 9 systems become permanently exposed to every new vulnerability from that date forward.

Check your Tomcat CVE exposure
The Tomcat product page shows live EOL status for every version. The EOL Checker lets you look up any version instantly.

Migrating from Tomcat 9 to Tomcat 10/11

Step 1 — Run the Jakarta EE migration tool

The official Apache migration tool scans your WAR or exploded application and rewrites javax.* imports to jakarta.* automatically. Run it on your application before attempting to deploy to Tomcat 10+.

Step 2 — Update your dependencies

Third-party libraries that reference javax.servlet must be updated to versions compiled against jakarta.servlet. Spring Framework 6+, Hibernate 6+, and Jakarta EE 10-compatible libraries are required. Check each dependency's Jakarta EE compatibility matrix.

Step 3 — Test in a staging environment

Deploy to Tomcat 11 in a staging environment and run your full integration test suite. Pay particular attention to servlet filters, session listeners, and any code that touches HttpServletRequest or HttpServletResponse directly.

Step 4 — Update your deployment configuration

Review web.xml, context.xml, and Tomcat's server.xml for deprecated settings. Tomcat 11 removed support for some legacy configuration options that were deprecated in Tomcat 9 and 10.

Related products
Running Tomcat with Spring Boot? Check the Spring Boot EOL guide. Running on an EOL JDK? Check the Java EOL page. EOL risk compounds when multiple layers are out of support simultaneously.

The Monthly EOL Digest™

Once a month — critical end-of-life dates, CVE blind spots, and lifecycle changes worth knowing about.

✓ You're on the list.