CVE-2025-31650

Summary

Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service.

This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.90 though 8.5.100.

Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache Tomcat9.0.76 <= 9.0.102affected
Apache Software FoundationApache Tomcat10.1.10 <= 10.1.39affected
Apache Software FoundationApache Tomcat11.0.0-M2 <= 11.0.5affected
Apache Software FoundationApache Tomcat8.5.90 <= 8.5.100affected

Weaknesses

  • CWE-459: CWE-459 Incomplete Cleanup

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References