CVE-2025-31650
Apache Tomcat Denial of Service via invalid HTTP priority header
Description
Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.90 though 8.5.100. Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.
How to fix CVE-2025-31650
To remediate CVE-2025-31650, upgrade the affected package to a fixed version below.
- —upgrade to 9.0.104 or later
- —upgrade to 10.1.40-1 or later
- —upgrade to 11.0.6-1 or later
- —upgrade to 9.0.107-0+deb11u1 or later
- —upgrade to 9.0.104 or later
- —upgrade to 9.0.104 or later
Is CVE-2025-31650 being exploited?
Moderate — EPSS is 10.9%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (6)
- >= 9.0.76, < 9.0.104, >= 10.1.10, < 10.1.40, >= 11.0.0, < 11.0.6
- from 0, < 10.1.40-1
- from 0, < 11.0.6-1
- from 0, < 9.0.107-0+deb11u1
- >= 9.0.76, < 9.0.104
- >= 9.0.76, < 9.0.104
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U |
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |