CVE-2025-31650

Description

Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.90 though 8.5.100. Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.

CVSS Metrics

• v4.0•HIGH•Score: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
• v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 10.91%• Percentile: 94%

Techniques & Countermeasures

• CWE-459•Incomplete Cleanup

  The product does not properly "clean up" and remove temporary or supporting resources after they have been used.

Affected Systems

• apache software foundation•apache tomcat

  ≥ 9.0.76, ≤ 9.0.102 | ≥ 10.1.10, ≤ 10.1.39 | ≥ 11.0.0-M2, ≤ 11.0.5 | ≥ 8.5.90, ≤ 8.5.100

• Unknown•Tomcat

  ≥ 9.0.76, < 9.0.104 | ≥ 10.1.10, < 10.1.40 | ≥ 11.0.1, < 11.0.6 | 11.0.0:milestone10 | 11.0.0:milestone11 | 11.0.0:milestone12 | 11.0.0:milestone13 | 11.0.0:milestone14 | 11.0.0:milestone15 | 11.0.0:milestone16 | 11.0.0:milestone17 | 11.0.0:milestone18 | 11.0.0:milestone19 | 11.0.0:milestone2 | 11.0.0:milestone20 | 11.0.0:milestone21 | 11.0.0:milestone22 | 11.0.0:milestone23 | 11.0.0:milestone24 | 11.0.0:milestone25 | 11.0.0:milestone3 | 11.0.0:milestone4 | 11.0.0:milestone5 | 11.0.0:milestone6 | 11.0.0:milestone7 | 11.0.0:milestone8 | 11.0.0:milestone9

• org.apache.tomcat•tomcat-coyote

  ≥ 9.0.76, < 9.0.104 | ≥ 10.1.10, < 10.1.40 | ≥ 11.0.0-M2, < 11.0.6 | ≥ 8.5.0, ≤ 8.5.100

• org.apache.tomcat.embed•tomcat-embed-core

  ≥ 9.0.76, < 9.0.104 | ≥ 10.1.10, < 10.1.40 | ≥ 11.0.0-M2, < 11.0.6 | ≥ 8.5.0, ≤ 8.5.100

References (17)

• https://lists.apache.org/thread/j6zzk0y3yym9pzfzkq5vcyxzz0yzh826
• http://www.openwall.com/lists/oss-security/2025/04/28/2
• https://lists.debian.org/debian-lts-announce/2025/07/msg00009.html
• https://nvd.nist.gov/vuln/detail/CVE-2025-31650
• https://github.com/apache/tomcat/commit/1eef1dc459c45f1e421d8bd25ef340fc1cc34edc
• https://github.com/apache/tomcat/commit/40ae788c2e64d018b4e58cd4210bb96434d0100d
• https://github.com/apache/tomcat/commit/75554da2fc5574862510ae6f0d7b3d78937f1d40
• https://github.com/apache/tomcat/commit/8cc3b8fb3f2d8d4d6a757e014f19d1fafa948a60
• https://github.com/apache/tomcat/commit/b7674782679e1514a0d154166b1d04d38aaac4a9
• https://github.com/apache/tomcat/commit/b98e74f517b36929f4208506e5adad22cb767baa
• https://github.com/apache/tomcat/commit/cba1a0fe1289ee7f5dd46c61c38d1e1ac5437bff
• https://github.com/apache/tomcat/commit/ded0285b96b4d3f5560dfc8856ad5ec4a9b50ba9
• https://github.com/apache/tomcat/commit/f619e6a05029538886d5a9d987925d573b5bb8c2
• https://github.com/apache/tomcat
• https://tomcat.apache.org/security-10.html
• https://tomcat.apache.org/security-11.html
• https://tomcat.apache.org/security-9.html