A critical security vulnerability, tracked as CVE-2025-31650, has been identified in multiple versions of Apache Tomcat, one of the world’s most widely used open-source web servers and servlet containers.
The flaw, which carries a high severity rating, could allow remote attackers to trigger a denial-of-service (DoS) condition, potentially disrupting business operations for organizations relying on affected Tomcat deployments.
Vulnerability Details
The vulnerability stems from improper input validation and incorrect error handling when processing certain malformed HTTP priority headers.
When Tomcat receives an invalid HTTP priority header, it fails to fully clean up the failed request, resulting in a memory leak.
If an attacker sends a large number of such specially crafted requests, the server’s memory may eventually be exhausted, leading to an OutOfMemoryException and a complete denial of service.
Affected Versions
The risk affects the following Tomcat versions:
- Apache Tomcat 11.0.0-M2 to 11.0.5
- Apache Tomcat 10.1.10 to 10.1.39
- Apache Tomcat 9.0.76 to 9.0.102
It is important to note that while Tomcat 9.0.103 contained a fix, it was not officially released due to a failed release vote.
Therefore, users must upgrade to 9.0.104 or later to be protected.
Mitigation and Recommendations
The Apache Software Foundation strongly advises all users of affected versions to upgrade immediately to the latest patched releases:
- Tomcat 11.0.6 or later
- Tomcat 10.1.40 or later
- Tomcat 9.0.104 or later
No alternative workarounds have been suggested, making prompt upgrading essential for organizations to avoid potential service disruptions.
Discovery and Response
The Apache Tomcat security team discovered the vulnerability.
The issue was publicly disclosed on April 28, 2025, with detailed advisories and recommendations published on the official Tomcat security pages.
Risk Factor Table
| Risk Factor | Description | Severity |
|---|---|---|
| Vulnerability Type | Improper Input Validation, Memory Leak, Denial-of-Service (DoS) | High |
| Attack Vector | Remote (via specially crafted HTTP priority headers) | High |
| Impact | OutOfMemoryException, Service Disruption, Potential Business Downtime | High |
| Affected Versions | Tomcat 11.0.0-M2 to 11.0.5, 10.1.10 to 10.1.39, 9.0.76 to 9.0.102 | High |
| Exploitability | High (requires sending a large number of malformed requests) | High |
| Mitigation | Upgrade to patched versions (11.0.6, 10.1.40, 9.0.104 or later) | Critical |
Organizations using Apache Tomcat are urged to assess their deployments and act swiftly to mitigate the risk.
Failure to do so could leave critical web services vulnerable to disruption from targeted denial-of-service attacks.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?resize=1600,900&ssl=1&description=The flaw, which carries a high severity rating, could allow remote attackers to trigger a denial-of-service (DoS) condition){kind=link}