Home

Description

Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.90 though 8.5.100. Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.

PUBLISHED Reserved 2025-03-31 | Published 2025-04-28 | Updated 2025-11-03 | Assigner apache

Problem types

CWE-459 Incomplete Cleanup

Product status

Default status
unaffected

9.0.76 (semver)
affected

10.1.10 (semver)
affected

11.0.0-M2 (semver)
affected

8.5.90 (semver)
affected

References

www.openwall.com/lists/oss-security/2025/04/28/2

lists.debian.org/debian-lts-announce/2025/07/msg00009.html

lists.apache.org/thread/j6zzk0y3yym9pzfzkq5vcyxzz0yzh826 vendor-advisory

cve.org (CVE-2025-31650)

nvd.nist.gov (CVE-2025-31650)

Download JSON