Improper Input Validation in Apache Tomcat by Apache
CVE-2025-31650

7.5HIGH

Key Information:

Vendor
Apache
Status
Apache Tomcat
Vendor
CVE Published:
28 April 2025

Badges

πŸ“ˆ TrendedπŸ“ˆ Score: 3,630πŸ“° News Worthy

What is CVE-2025-31650?

CVE-2025-31650 is a notable vulnerability found in Apache Tomcat, a widely used open-source application server that provides a robust platform for running Java applications. This particular vulnerability is characterized by improper input validation due to incorrect error handling of certain invalid HTTP priority headers. If exploited, it could lead to a memory leak, potentially resulting in an OutOfMemoryException. For organizations relying on Apache Tomcat for their web applications, this could compromise service availability and operational efficiency.

Technical Details

The vulnerability arises from the way Apache Tomcat processes invalid HTTP priority headers. Specifically, the error handling mechanism fails to adequately clean up failed requests, leading to a gradual depletion of memory resources as numerous invalid requests are processed. This oversight affects specific versions of Apache Tomcat, including versions 9.0.76 through 9.0.102, 10.1.10 through 10.1.39, and from 11.0.0-M2 through 11.0.5. To mitigate this risk, users are advised to upgrade to versions 9.0.104, 10.1.40, or 11.0.6, which address the vulnerability.

Potential impact of CVE-2025-31650

  1. Denial of Service (DoS): The most immediate impact of this vulnerability is the potential for denial of service. An attacker could deliberately send numerous invalid HTTP requests, exhausting server memory and rendering services unavailable to legitimate users.

  2. Resource Depletion: Continuous exploitation can lead to significant resource depletion, affecting system performance and potentially causing crashes or disruptions in service for users relying on the server for critical operations.

  3. Operational Risks: With a vulnerable server susceptible to repeated invalid request scenarios, organizations may face operational risks, such as increased maintenance costs, strained IT resources for troubleshooting, and the necessity for urgent updates, all of which can detract from core business functions.

Affected Version(s)

Apache Tomcat 9.0.76 <= 9.0.102

Apache Tomcat 10.1.10 <= 10.1.39

Apache Tomcat 11.0.0-M2 <= 11.0.5

News Articles

favicon imageCyber Security Agency of Singapore

Multiple Vulnerabilities in Apache Tomcat Software

The Apache Software Foundation has released updates addressing multiple vulnerabilities affecting their Apache Tomcat software. Users and administrators of...

1 week ago

References

https://lists.apache.org/thread/j6zzk0y3yym9pzfzkq5vcyxzz...
vendor-advisory

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • πŸ“ˆ

    Vulnerability started trending

  • πŸ“°

    First article discovered by Cyber Security Agency of Singapore

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-31650 : Improper Input Validation in Apache Tomcat by Apache | SecurityVulnerability.io