The LruCache (org.apache.catalina.filters.CsrfPreventionFilter$LruCache) use by Csrf Prevention Filter is base on LinkedHashMap. From the LinkedHashMap Java Doc: Note that this implementation is not synchronized. If multiple threads access a linked hash map concurrently, and at least one of the threads modifies the map structurally, it must be synchronized externally. ... But the LruCache implementation does not synchronize the access to the map.
Fixed in 7.0.x and will be included in 7.0.20 onwards. Proposed for 6.0.x.
The fix has been applied to 6.0.x and will be included in 6.0.33 onwards.