CVE-2025-31650

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 8.5.90 through 8.5.100 Apache Tomcat versions 9.0.76 through 9.0.102 Apache Tomcat versions 10.1.10 through 10.1.39 Apache Tomcat versions 11.0.0-M2 through 11.0.5

Description Improper input validation in Apache Tomcat occurs due to incorrect error handling of invalid HTTP priority headers. This failure leads to an incomplete clean-up of failed requests, resulting in a memory leak. A remote attacker can exploit this by sending a large volume of specially crafted HTTP requests to trigger an OutOfMemoryException, causing a denial of service.

Recommendations Upgrade to version 9.0.104 for affected 9.0.x versions. Upgrade to version 10.1.40 for affected 10.1.x versions. Upgrade to version 11.0.6 for affected 11.0.x versions. As a temporary workaround, restrict or filter invalid HTTP priority headers to minimize the risk of exploitation.