CVE-2025-31650
Apache Tomcat: DoS via malformed HTTP/2 PRIORITY_UPDATE frame
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
7Exploited in Wild
-Decision
Descriptions
Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.
A flaw was found in Apache Tomcat. This vulnerability allows an application-level denial of service (DoS), causing it to become unresponsive or slow via maliciously crafted HTTP/2 prioritization headers. It performs an incomplete cleanup of failed requests, which triggers a memory leak.
This update for tomcat10 fixes the following issues. Update to Tomcat 10.1.40. Invalid priority field values should be ignored. Better handling of URLs with literal ';' and '?'.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2025-03-31 CVE Reserved
- 2025-04-28 CVE Published
- 2025-04-30 First Exploit
- 2025-05-06 CVE Updated
- 2025-07-01 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-20: Improper Input Validation
- CWE-459: Incomplete Cleanup
CAPEC
References (11)
| URL | Tag | Source |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2025/04/28/2 |
|
| URL | Date | SRC |
|---|---|---|
| https://packetstorm.news/files/id/200672 | 2025-06-06 | |
| https://www.exploit-db.com/exploits/52318 | 2025-06-05 | |
| https://github.com/absholi7ly/TomcatKiller-CVE-2025-31650 | 2025-04-30 | |
| https://github.com/tunahantekeoglu/CVE-2025-31650 | 2025-04-30 | |
| https://github.com/sattarbug/Analysis-of-TomcatKiller---CVE-2025-31650-Exploit-Tool | 2025-05-02 | |
| https://github.com/obscura-cert/CVE-2025-31650 | 2025-06-28 | |
| https://github.com/B1gN0Se/Tomcat-CVE-2025-31650 | 2025-07-02 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://lists.apache.org/thread/j6zzk0y3yym9pzfzkq5vcyxzz0yzh826 | 2025-04-28 | |
| https://access.redhat.com/security/cve/CVE-2025-31650 | 2025-05-08 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2362783 | 2025-05-08 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apache Software Foundation Search vendor "Apache Software Foundation" | Apache Tomcat Search vendor "Apache Software Foundation" for product "Apache Tomcat" | >= 9.0.76 <= 9.0.102 Search vendor "Apache Software Foundation" for product "Apache Tomcat" and version " >= 9.0.76 <= 9.0.102" | en |
Affected
| ||||||
| Apache Software Foundation Search vendor "Apache Software Foundation" | Apache Tomcat Search vendor "Apache Software Foundation" for product "Apache Tomcat" | >= 10.1.10 <= 10.1.39 Search vendor "Apache Software Foundation" for product "Apache Tomcat" and version " >= 10.1.10 <= 10.1.39" | en |
Affected
| ||||||
| Apache Software Foundation Search vendor "Apache Software Foundation" | Apache Tomcat Search vendor "Apache Software Foundation" for product "Apache Tomcat" | >= 11.0.0-M2 <= 11.0.5 Search vendor "Apache Software Foundation" for product "Apache Tomcat" and version " >= 11.0.0-M2 <= 11.0.5" | en |
Affected
| ||||||