diff --git a/CVE-2025-52434.patch b/CVE-2025-52434.patch
new file mode 100644
index 0000000000000000000000000000000000000000..1729939755da0904809686eba67dc93b1ff59068
--- /dev/null
+++ b/CVE-2025-52434.patch
@@ -0,0 +1,194 @@
+From 8a83c3c42d20762782678932c14005cd3397a018 Mon Sep 17 00:00:00 2001
+From: Mark Thomas <markt@apache.org>
+Date: Thu, 26 Jun 2025 10:05:59 +0100
+Subject: [PATCH] Improve stability of APR/native connector.
+
+Origin: https://github.com/apache/tomcat/commit/8a83c3c42d20762782678932c14005cd3397a018
+
+This addresses at least some of the intermittent issues observed with
+the APR unit tests.
+---
+ .../apache/tomcat/util/net/AprEndpoint.java   | 82 ++++++++++++-------
+ 1 file changed, 54 insertions(+), 28 deletions(-)
+
+diff --git a/java/org/apache/tomcat/util/net/AprEndpoint.java b/java/org/apache/tomcat/util/net/AprEndpoint.java
+index b7fcad8..880352c 100644
+--- a/java/org/apache/tomcat/util/net/AprEndpoint.java
++++ b/java/org/apache/tomcat/util/net/AprEndpoint.java
+@@ -625,17 +625,8 @@ public class AprEndpoint extends AbstractEndpoint<Long,Long> implements SNICallB
+ 
+             // Close the SocketWrapper for each open connection - this should
+             // trigger a IOException when the app (or container) tries to write.
+-            // Use the blocking status write lock as a proxy for a lock on
+-            // writing to the socket. Don't want to close it while another
+-            // thread is writing as that could trigger a JVM crash.
+             for (SocketWrapperBase<Long> socketWrapper : connections.values()) {
+-                WriteLock wl = ((AprSocketWrapper) socketWrapper).getBlockingStatusWriteLock();
+-                wl.lock();
+-                try {
+-                    socketWrapper.close();
+-                } finally {
+-                    wl.unlock();
+-                }
++                socketWrapper.close();
+             }
+ 
+             for (Long socket : connections.keySet()) {
+@@ -2399,6 +2390,17 @@ public class AprEndpoint extends AbstractEndpoint<Long,Long> implements SNICallB
+         }
+ 
+ 
++        @Override
++        public void close() {
++            Lock lock = getLock();
++            lock.lock();
++            try {
++                super.close();
++            } finally {
++                lock.unlock();
++            }
++        }
++
+         @Override
+         protected void doClose() {
+             if (log.isDebugEnabled()) {
+@@ -2607,25 +2609,31 @@ public class AprEndpoint extends AbstractEndpoint<Long,Long> implements SNICallB
+ 
+         @Override
+         protected void populateRemoteAddr() {
+-            if (isClosed()) {
+-                return;
+-            }
++            Lock lock = getLock();
++            lock.lock();
+             try {
++                if (isClosed()) {
++                    return;
++                }
+                 long socket = getSocket().longValue();
+                 long sa = Address.get(Socket.APR_REMOTE, socket);
+                 remoteAddr = Address.getip(sa);
+             } catch (Exception e) {
+                 log.warn(sm.getString("endpoint.warn.noRemoteAddr", getSocket()), e);
++            } finally {
++                lock.unlock();
+             }
+         }
+ 
+ 
+         @Override
+         protected void populateRemoteHost() {
+-            if (isClosed()) {
+-                return;
+-            }
++            Lock lock = getLock();
++            lock.lock();
+             try {
++                if (isClosed()) {
++                    return;
++                }
+                 long socket = getSocket().longValue();
+                 long sa = Address.get(Socket.APR_REMOTE, socket);
+                 remoteHost = Address.getnameinfo(sa, 0);
+@@ -2634,68 +2642,86 @@ public class AprEndpoint extends AbstractEndpoint<Long,Long> implements SNICallB
+                 }
+             } catch (Exception e) {
+                 log.warn(sm.getString("endpoint.warn.noRemoteHost", getSocket()), e);
++            } finally {
++                lock.unlock();
+             }
+         }
+ 
+ 
+         @Override
+         protected void populateRemotePort() {
+-            if (isClosed()) {
+-                return;
+-            }
++            Lock lock = getLock();
++            lock.lock();
+             try {
++                if (isClosed()) {
++                    return;
++                }
+                 long socket = getSocket().longValue();
+                 long sa = Address.get(Socket.APR_REMOTE, socket);
+                 Sockaddr addr = Address.getInfo(sa);
+                 remotePort = addr.port;
+             } catch (Exception e) {
+                 log.warn(sm.getString("endpoint.warn.noRemotePort", getSocket()), e);
++            } finally {
++                lock.unlock();
+             }
+         }
+ 
+ 
+         @Override
+         protected void populateLocalName() {
+-            if (isClosed()) {
+-                return;
+-            }
++            Lock lock = getLock();
++            lock.lock();
+             try {
++                if (isClosed()) {
++                    return;
++                }
+                 long socket = getSocket().longValue();
+                 long sa = Address.get(Socket.APR_LOCAL, socket);
+                 localName =Address.getnameinfo(sa, 0);
+             } catch (Exception e) {
+                 log.warn(sm.getString("endpoint.warn.noLocalName"), e);
++            } finally {
++                lock.unlock();
+             }
+         }
+ 
+ 
+         @Override
+         protected void populateLocalAddr() {
+-            if (isClosed()) {
+-                return;
+-            }
++            Lock lock = getLock();
++            lock.lock();
+             try {
++                if (isClosed()) {
++                    return;
++                }
+                 long socket = getSocket().longValue();
+                 long sa = Address.get(Socket.APR_LOCAL, socket);
+                 localAddr = Address.getip(sa);
+             } catch (Exception e) {
+                 log.warn(sm.getString("endpoint.warn.noLocalAddr"), e);
++            } finally {
++                lock.unlock();
+             }
+         }
+ 
+ 
+         @Override
+         protected void populateLocalPort() {
+-            if (isClosed()) {
+-                return;
+-            }
++            Lock lock = getLock();
++            lock.lock();
+             try {
++                if (isClosed()) {
++                    return;
++                }
+                 long socket = getSocket().longValue();
+                 long sa = Address.get(Socket.APR_LOCAL, socket);
+                 Sockaddr addr = Address.getInfo(sa);
+                 localPort = addr.port;
+             } catch (Exception e) {
+                 log.warn(sm.getString("endpoint.warn.noLocalPort"), e);
++            } finally {
++                lock.unlock();
+             }
+         }
+ 
+-- 
+2.33.0
+
diff --git a/CVE-2025-52520.patch b/CVE-2025-52520.patch
new file mode 100644
index 0000000000000000000000000000000000000000..b6f1405602bb59cc4441593af755bae74217c3be
--- /dev/null
+++ b/CVE-2025-52520.patch
@@ -0,0 +1,56 @@
+From 927d66fbc294cb65242102b817a45fd80834e040 Mon Sep 17 00:00:00 2001
+From: Mark Thomas <markt@apache.org>
+Date: Tue, 1 Jul 2025 20:22:16 +0100
+Subject: [PATCH] Align size tracking for multipart requests with FileUpload's
+ use of long
+
+Origin: https://github.com/apache/tomcat/commit/927d66fbc294cb65242102b817a45fd80834e040
+---
+ java/org/apache/catalina/connector/Request.java | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/java/org/apache/catalina/connector/Request.java b/java/org/apache/catalina/connector/Request.java
+index bd979ac..c42be55 100644
+--- a/java/org/apache/catalina/connector/Request.java
++++ b/java/org/apache/catalina/connector/Request.java
+@@ -2640,23 +2640,23 @@ public class Request implements HttpServletRequest {
+             try {
+                 List<FileItem> items = upload.parseRequest(new ServletRequestContext(this));
+                 int maxPostSize = getConnector().getMaxPostSize();
+-                int postSize = 0;
++                long postSize = 0;
+                 Charset charset = getCharset();
+                 for (FileItem item : items) {
+                     ApplicationPart part = new ApplicationPart(item, location);
+-                    parts.add(part);
+                     if (part.getSubmittedFileName() == null) {
+                         String name = part.getName();
+                         if (maxPostSize >= 0) {
+                             // Have to calculate equivalent size. Not completely
+                             // accurate but close enough.
+-                            postSize += name.getBytes(charset).length;
++                            // Name
++                            postSize = Math.addExact(postSize, name.getBytes(charset).length);
+                             // Equals sign
+-                            postSize++;
++                            postSize = Math.addExact(postSize, 1);
+                             // Value length
+-                            postSize += part.getSize();
++                            postSize = Math.addExact(postSize, part.getSize());
+                             // Value separator
+-                            postSize++;
++                            postSize = Math.addExact(postSize, 1);
+                             if (postSize > maxPostSize) {
+                                 parameters.setParseFailedReason(FailReason.POST_TOO_LARGE);
+                                 throw new IllegalStateException(sm.getString("coyoteRequest.maxPostSizeExceeded"));
+@@ -2670,6 +2670,7 @@ public class Request implements HttpServletRequest {
+                         }
+                         parameters.addParameter(name, value);
+                     }
++                    parts.add(part);
+                 }
+ 
+                 success = true;
+-- 
+2.33.0
+
diff --git a/CVE-2025-53506.patch b/CVE-2025-53506.patch
new file mode 100644
index 0000000000000000000000000000000000000000..9e1643537c617ed65d2bb6fc1fe26cf843bf768b
--- /dev/null
+++ b/CVE-2025-53506.patch
@@ -0,0 +1,93 @@
+From 434772930f362145516dd60681134e7f0cf8115b Mon Sep 17 00:00:00 2001
+From: Mark Thomas <markt@apache.org>
+Date: Tue, 1 Jul 2025 19:58:55 +0100
+Subject: [PATCH] Apply the initial HTTP/2 connection limits earlier.
+
+Origin: https://github.com/apache/tomcat/commit/434772930f362145516dd60681134e7f0cf8115b
+
+---
+ .../coyote/http2/ConnectionSettingsBase.java  | 19 +++++++++++++++++--
+ .../coyote/http2/ConnectionSettingsLocal.java |  5 ++++-
+ .../coyote/http2/Http2UpgradeHandler.java     |  8 ++++++--
+ 3 files changed, 27 insertions(+), 5 deletions(-)
+
+diff --git a/java/org/apache/coyote/http2/ConnectionSettingsBase.java b/java/org/apache/coyote/http2/ConnectionSettingsBase.java
+index 749fac5cff51..47141ba05018 100644
+--- a/java/org/apache/coyote/http2/ConnectionSettingsBase.java
++++ b/java/org/apache/coyote/http2/ConnectionSettingsBase.java
+@@ -66,6 +66,11 @@ abstract class ConnectionSettingsBase<T extends Throwable> {
+ 
+ 
+     final void set(Setting setting, long value) throws T {
++        set(setting,  value, false);
++    }
++
++
++    final void set(Setting setting, long value, boolean force) throws T {
+         if (log.isTraceEnabled()) {
+             log.trace(sm.getString("connectionSettings.debug", connectionId, getEndpointName(), setting,
+                     Long.toString(value)));
+@@ -102,11 +107,21 @@ final void set(Setting setting, long value) throws T {
+                 return;
+         }
+ 
+-        set(setting, Long.valueOf(value));
++        set(setting, Long.valueOf(value), force);
+     }
+ 
+ 
+-    synchronized void set(Setting setting, Long value) {
++    /**
++     * Specify a new value for setting with the option to force the change to take effect immediately rather than
++     * waiting until an {@code ACK} is received.
++     *
++     * @param setting The setting to update
++     * @param value   The new value for the setting
++     * @param force   {@code false} if an {@code ACK} must be received before the setting takes effect or {@code true}
++     *                    if the setting to take effect immediately. Even if the setting takes effect immediately, it
++     *                    will still be included in the next {@code SETTINGS} frame and an {@code ACK} will be expected.
++     */
++    synchronized void set(Setting setting, Long value, boolean force) {
+         current.put(setting, value);
+     }
+ 
+diff --git a/java/org/apache/coyote/http2/ConnectionSettingsLocal.java b/java/org/apache/coyote/http2/ConnectionSettingsLocal.java
+index 372be80223c9..5ceec8ece198 100644
+--- a/java/org/apache/coyote/http2/ConnectionSettingsLocal.java
++++ b/java/org/apache/coyote/http2/ConnectionSettingsLocal.java
+@@ -40,12 +40,15 @@ class ConnectionSettingsLocal extends ConnectionSettingsBase<IllegalArgumentExce
+ 
+ 
+     @Override
+-    final synchronized void set(Setting setting, Long value) {
++    final synchronized void set(Setting setting, Long value, boolean force) {
+         checkSend();
+         if (current.get(setting).longValue() == value.longValue()) {
+             pending.remove(setting);
+         } else {
+             pending.put(setting, value);
++            if (force) {
++                current.put(setting, value);
++            }
+         }
+     }
+ 
+diff --git a/java/org/apache/coyote/http2/Http2UpgradeHandler.java b/java/org/apache/coyote/http2/Http2UpgradeHandler.java
+index 51bf38923856..234dd74f8ab8 100644
+--- a/java/org/apache/coyote/http2/Http2UpgradeHandler.java
++++ b/java/org/apache/coyote/http2/Http2UpgradeHandler.java
+@@ -161,8 +161,12 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH
+         remoteSettings = new ConnectionSettingsRemote(connectionId);
+         localSettings = new ConnectionSettingsLocal(connectionId);
+ 
+-        localSettings.set(Setting.MAX_CONCURRENT_STREAMS, protocol.getMaxConcurrentStreams());
+-        localSettings.set(Setting.INITIAL_WINDOW_SIZE, protocol.getInitialWindowSize());
++        /*
++         * Force set these initial limits. A well-behaved client should ACK the settings and adhere to them before it
++         * reaches the limits anyway.
++         */
++        localSettings.set(Setting.MAX_CONCURRENT_STREAMS, protocol.getMaxConcurrentStreams(), true);
++        localSettings.set(Setting.INITIAL_WINDOW_SIZE, protocol.getInitialWindowSize(), true);
+ 
+         pingManager.initiateDisabled = protocol.getInitiatePingDisabled();
+ 
diff --git a/tomcat.spec b/tomcat.spec
index 66715f98fb9f73b7d7d63479ea57d41ba3a70320..d906607e3a4ed7190d4dc5080f56e836b380f757 100644
--- a/tomcat.spec
+++ b/tomcat.spec
@@ -23,7 +23,7 @@
 Name:          tomcat
 Epoch:         1
 Version:       %{major_version}.%{minor_version}.%{micro_version}
-Release:       5
+Release:       6
 Summary:       Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API
 
 License:       Apache-2.0
@@ -61,6 +61,9 @@ Patch14:       CVE-2025-46701-2.patch
 Patch15:       CVE-2025-48988.patch
 Patch16:       CVE-2025-48976.patch
 Patch17:       CVE-2025-49125.patch
+Patch18:       CVE-2025-52434.patch
+Patch19:       CVE-2025-52520.patch
+Patch20:       CVE-2025-53506.patch
 
 BuildArch:     noarch
 
@@ -427,6 +430,9 @@ fi
 %{appdir}/docs
 
 %changelog
+* Fri Jul 11 2025 wangkai <13474090681@163.com> - 1:9.0.100-6
+- Fix CVE-2025-52434 CVE-2025-53506 CVE-2025-52520
+
 * Mon Jun 30 2025 wangkai <13474090681@163.com> - 1:9.0.100-5
 - Fix CVE-2025-48976