Home > Vulnerability Database > CVE-2025-31650

Mend.io Vulnerability Database

CVE-2025-31650

Good to know:

Date: April 28, 2025

Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.

Severity Score

7.5

Related Resources (18)

Url: https://github.com/apache/tomcat/commit/b7674782679e1514a0d154166b1d04d38aaac4a9

Url: https://lists.apache.org/thread/j6zzk0y3yym9pzfzkq5vcyxzz0yzh826

Url: https://tomcat.apache.org/security-10.html

Url: http://www.openwall.com/lists/oss-security/2025/04/28/2

Url: https://github.com/apache/tomcat/commit/1eef1dc459c45f1e421d8bd25ef340fc1cc34edc

Url: https://github.com/apache/tomcat/commit/ded0285b96b4d3f5560dfc8856ad5ec4a9b50ba9

Url: https://github.com/apache/tomcat/commit/75554da2fc5574862510ae6f0d7b3d78937f1d40

Url: https://tomcat.apache.org/security-11.html

Url: https://github.com/apache/tomcat

Url: https://security-tracker.debian.org/tracker/CVE-2025-31650

Url: https://github.com/apache/tomcat/commit/40ae788c2e64d018b4e58cd4210bb96434d0100d

Url: https://tomcat.apache.org/security-9.html

Url: https://github.com/apache/tomcat/commit/b98e74f517b36929f4208506e5adad22cb767baa

Url: https://github.com/apache/tomcat/commit/cba1a0fe1289ee7f5dd46c61c38d1e1ac5437bff

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-31650

Url: https://github.com/apache/tomcat/commit/f619e6a05029538886d5a9d987925d573b5bb8c2

Url: https://github.com/apache/tomcat/commit/8cc3b8fb3f2d8d4d6a757e014f19d1fafa948a60

Url: https://www.mend.io/vulnerability-database/CVE-2025-31650

Severity Score

7.5

Weakness Type (CWE)

Improper Input Validation

CWE-20

Incomplete Cleanup

CWE-459

Improper Cleanup on Thrown Exception

CWE-460

Top Fix

Upgrade Version

Upgrade to version org.apache.tomcat:tomcat-coyote:9.0.104;org.apache.tomcat:tomcat-coyote:10.0.40;org.apache.tomcat:tomcat-coyote:11.0.6;org.apache.tomcat:tomcat-coyote:9.0.104;org.apache.tomcat:tomcat-coyote:10.1.40;org.apache.tomcat:tomcat-coyote:11.0.6;org.apache.tomcat.embed:tomcat-embed-core:9.0.104;org.apache.tomcat.embed:tomcat-embed-core:10.0.40;org.apache.tomcat.embed:tomcat-embed-core:11.0.6;org.apache.tomcat.embed:tomcat-embed-core:9.0.104;org.apache.tomcat.embed:tomcat-embed-core:10.1.40;org.apache.tomcat.embed:tomcat-embed-core:11.0.6;https://github.com/apache/tomcat.git - 9.0.104;https://github.com/apache/tomcat.git - 10.0.40;https://github.com/apache/tomcat.git - 11.0.6

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-31650

Good to know:

Date: April 28, 2025

Severity Score

Related Resources (18)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?