CVE-2025-31650

Published: Apr 28, 2025

Modified: Nov 3, 2025

PUBLISHED

Description

Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.90 though 8.5.100. Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.

Vendor	Product	Versions
Apache Software Foundation	Apache Tomcat	affected `9.0.76 - <= 9.0.102` affected `10.1.10 - <= 10.1.39` affected `11.0.0-M2 - <= 11.0.5` affected `8.5.90 - <= 8.5.100`

Weaknesses (CWE)

CWE-459

References

https://lists.apache.org/thread/j6zzk0y3yym9pzfzkq5vcyxzz0yzh826

vendor-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-31650

Description

Affected Products

Weaknesses (CWE)

References