Apache Tomcat End of Life: Tomcat 9 is EOL — Migration Guide to Tomcat 10/11

endoflife-ai Posted on May 30 • Originally published at endoflife.ai Apache Tomcat End of Life: Tomcat 9 is EOL — Migration Guide to Tomcat 10/11 # java # security # devops # opensource Apache Tomcat 9 reached end of life on December 31, 2025 . No more security patches. No more CVE fixes. Every vulnerability disclosed from January 1, 2026 onward is permanently unpatched on Tomcat 9. And yet — tens of thousands of production servers are still running it today. This isn't negligence. There's a specific technical reason teams stay stuck, and it's worth understanding before you plan your migration. Complete Tomcat EOL Schedule Version Servlet Spec End of Life Status Tomcat 7 3.0 Mar 31, 2021 ❌ EOL Tomcat 8.5 3.1 Mar 31, 2024 ❌ EOL Tomcat 9 4.0 Dec 31, 2025 ❌ EOL Tomcat 10.1 6.0 (Jakarta) Dec 31, 2026 ⚠️ Warning Tomcat 11 6.1 (Jakarta) TBD ✅ Supported Why Tomcat 9 is the Stickiest EOL Version Tomcat 9 was the last version to use the javax.* namespace . Tomcat 10 and later use the jakarta.* namespace — a breaking change introduced with Jakarta EE 9. This means migrating from Tomcat 9 to Tomcat 10+ is not a drop-in upgrade . Every class in your application that imports from javax.servlet needs to be updated to jakarta.servlet . For a large application, that's potentially hundreds of files. The Apache Tomcat project publishes an official migration tool that automates most of this — but the effort is real, and that's why Tomcat 9 outlives its EOL date in so many environments. The CVE Risk of Running EOL Tomcat Tomcat has a well-documented CVE history: HTTP/2 request smuggling, path traversal vulnerabilities, deserialization issues, session fixation bugs. These are high-severity, real-world exploits — not theoretical risks. When Tomcat 9 reached EOL, the Apache project stopped backporting fixes. Any CVE disclosed after December 31, 2025 that affects Tomcat 9 will never receive an official patch. EOL Risk Score for Tomcat 9: 82 Critical View full score → endoflife.ai/scor