VYPR
Moderate severityNVD Advisory· Published Apr 28, 2025· Updated Nov 3, 2025

Apache Tomcat: DoS via malformed HTTP/2 PRIORITY_UPDATE frame

CVE-2025-31650

Description

Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service.

This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.90 though 8.5.100.

Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.tomcat:tomcat-coyoteMaven
>= 9.0.76, < 9.0.1049.0.104
org.apache.tomcat:tomcat-coyoteMaven
>= 10.1.10, < 10.1.4010.1.40
org.apache.tomcat:tomcat-coyoteMaven
>= 11.0.0-M2, < 11.0.611.0.6
org.apache.tomcat.embed:tomcat-embed-coreMaven
>= 9.0.76, < 9.0.1049.0.104
org.apache.tomcat.embed:tomcat-embed-coreMaven
>= 10.1.10, < 10.1.4010.1.40
org.apache.tomcat.embed:tomcat-embed-coreMaven
>= 11.0.0-M2, < 11.0.611.0.6
org.apache.tomcat:tomcat-coyoteMaven
>= 8.5.0, <= 8.5.100
org.apache.tomcat.embed:tomcat-embed-coreMaven
>= 8.5.0, <= 8.5.100

Affected products

57

Patches

Vulnerability mechanics

References

17

News mentions

0

No linked articles in our index yet.