Apache Tomcat up to 9.0.102/10.1.39/11.0.5 HTTP Priority Header resource consumption

Summaryinfo

A vulnerability, which was classified as problematic, was found in Apache Tomcat up to 9.0.102/10.1.39/11.0.5. This issue affects some unknown processing of the component HTTP Priority Header Handler. The manipulation results in resource consumption. This vulnerability is known as CVE-2025-31650. It is possible to launch the attack remotely. Furthermore, an exploit is available. You should upgrade the affected component.

Detailsinfo

A vulnerability was found in Apache Tomcat up to 9.0.102/10.1.39/11.0.5. It has been classified as problematic. Affected is some unknown functionality of the component HTTP Priority Header Handler. The manipulation with an unknown input leads to a resource consumption vulnerability. CWE is classifying the issue as CWE-400. The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources. This is going to have an impact on availability. CVE summarizes:

Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.

The advisory is shared for download at lists.apache.org. This vulnerability is traded as CVE-2025-31650 since 03/31/2025. The exploitability is told to be easy. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. Technical details are unknown but a public exploit is available. The MITRE ATT&CK project declares the attack technique as T1499.

The exploit is shared for download at exploit-db.com. It is declared as proof-of-concept. The vulnerability scanner Nessus provides a plugin with the ID 235034 (Apache Tomcat 9.0.0.M1 < 9.0.104 multiple vulnerabilities), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 9.0.104, 10.1.40 or 11.0.6 eliminates this vulnerability.

The vulnerability is also documented in the databases at Exploit-DB (52318), Tenable (235034), EUVD (EUVD-2025-13627) and CERT Bund (WID-SEC-2025-0895). Once again VulDB remains the best source for vulnerability data.

Affected

• IBM Security Guardium
• Debian Linux
• Amazon Linux 2
• IBM Power Hardware Management Console
• Red Hat Enterprise Linux
• Ubuntu Linux
• SUSE Linux
• Red Hat JBoss Web Server
• Oracle Linux
• RESF Rocky Linux
• Atlassian Confluence
• Apache Tomcat
• Atlassian Bamboo
• IBM Integration Bus
• Atlassian Jira
• Trellix ePolicy Orchestrator
• HCL Commerce
• Dell NetWorker
• SAS Institute Base SAS

Productinfo

Type

• Application Server Software

Vendor

• Apache

Name

• Tomcat

Version

• 9.0.102
• 10.1.0
• 10.1.1
• 10.1.2
• 10.1.3
• 10.1.4
• 10.1.5
• 10.1.6
• 10.1.7
• 10.1.8
• 10.1.9
• 10.1.10
• 10.1.11
• 10.1.12
• 10.1.13
• 10.1.14
• 10.1.15
• 10.1.16
• 10.1.17
• 10.1.18
• 10.1.19
• 10.1.20
• 10.1.21
• 10.1.22
• 10.1.23
• 10.1.24
• 10.1.25
• 10.1.26
• 10.1.27
• 10.1.28
• 10.1.29
• 10.1.30
• 10.1.31
• 10.1.32
• 10.1.33
• 10.1.34
• 10.1.35
• 10.1.36
• 10.1.37
• 10.1.38
• 10.1.39
• 11.0.0
• 11.0.1
• 11.0.2
• 11.0.3
• 11.0.4
• 11.0.5

License

• open-source

Website

• Vendor: https://www.apache.org/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion