Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2025-31650

CWE-459CWE-20Improper Input ValidationCWE-4609 documents8 sources
Severity
7.5HIGH
EPSS
9.5%
top 7.15%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Apache TomcatApache Software Foundation Apache Tomcat
Timeline
PublishedApr 28
Latest updateAug 20

Description

Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. The following versions were EOL at the time the CVE was created bu

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages7 packages

NVDapache/tomcat9.0.769.0.104+3
Mavenorg.apache.tomcat:tomcat-coyote9.0.769.0.104+3
Mavenorg.apache.tomcat.embed:tomcat-embed-core9.0.769.0.104+3
CVEListV5apache_software_foundation/apache_tomcat9.0.769.0.102+3
Debiantomcat9< 9.0.107-0+deb11u1+3

🔴Vulnerability Details

4
OSV
CVE-2025-31650: Improper Input Validation vulnerability in Apache Tomcat2025-04-28
OSV
Apache Tomcat Denial of Service via invalid HTTP priority header2025-04-28
GHSA
Apache Tomcat Denial of Service via invalid HTTP priority header2025-04-28
CVEList
Apache Tomcat: DoS via malformed HTTP/2 PRIORITY_UPDATE frame2025-04-28

💥Exploits & PoCs

1
Exploit-DB
Apache Tomcat 10.1.39 - Denial of Service (DoS)2025-06-05

📋Vendor Advisories

3
Ubuntu
Tomcat vulnerabilities2025-08-20
Red Hat
tomcat: Apache Tomcat: DoS via malformed HTTP/2 PRIORITY_UPDATE frame2025-04-28
Debian
CVE-2025-31650: tomcat10 - Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handli...2025