Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

cve-2025-31650
Back to All
CVE

CVE-2025-31650

Apache Tomcat Denial of Service via invalid HTTP priority header

Description

Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service.

This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.90 though 8.5.100.

Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.

Base CVSS

7.5

EPSS Score

4.31%

Introduced Version

9.0.76

Fix Available

9.0.104,10.1.40,11.0.6

Available Patches

Package
CVEs Fixed
Lines of Code Changed
Package Name
org.apache.tomcat.embed:tomcat-embed-core
11.0.2
7 CVES Fixed
C
0
H
7
M
0
L
0
Code Changed
+397
-159

References

https://github.com/apache/tomcat/commit/75554da2fc5574862510ae6f0d7b3d78937f1d40
https://github.com/apache/tomcat/commit/b98e74f517b36929f4208506e5adad22cb767baa
https://github.com/apache/tomcat/commit/b7674782679e1514a0d154166b1d04d38aaac4a9
https://github.com/apache/tomcat/commit/1eef1dc459c45f1e421d8bd25ef340fc1cc34edc
https://nvd.nist.gov/vuln/detail/CVE-2025-31650
https://github.com/apache/tomcat/commit/ded0285b96b4d3f5560dfc8856ad5ec4a9b50ba9
https://lists.apache.org/thread/j6zzk0y3yym9pzfzkq5vcyxzz0yzh826
https://github.com/apache/tomcat/commit/8cc3b8fb3f2d8d4d6a757e014f19d1fafa948a60
https://github.com/apache/tomcat/commit/f619e6a05029538886d5a9d987925d573b5bb8c2
https://github.com/apache/tomcat/commit/cba1a0fe1289ee7f5dd46c61c38d1e1ac5437bff
http://www.openwall.com/lists/oss-security/2025/04/28/2
https://github.com/apache/tomcat/commit/40ae788c2e64d018b4e58cd4210bb96434d0100d
https://tomcat.apache.org/security-10.html
https://tomcat.apache.org/security-11.html
https://tomcat.apache.org/security-9.html
https://github.com/apache/tomcat

AppSec for the Software Development Revolution

Endor Labs builds a complete graph of your software estate, so teams can pinpoint and fix critical risks in complex, dependency-rich code—whether it was written by humans or AI.

Welcome to the resistance
Oops! Something went wrong, please try again.