Apache Tomcat Flaw Allows Rule Bypass and Triggers Denial-of-Service

A critical security vulnerability, tracked as CVE-2025-31650, has been identified in multiple versions of Apache Tomcat, one of the world’s most widely used open-source web servers and servlet containers.

The flaw, which carries a high severity rating, could allow remote attackers to trigger a denial-of-service (DoS) condition, potentially disrupting business operations for organizations relying on affected Tomcat deployments.

Vulnerability Details

The vulnerability stems from improper input validation and incorrect error handling when processing certain malformed HTTP priority headers.

When Tomcat receives an invalid HTTP priority header, it fails to fully clean up the failed request, resulting in a memory leak.

If an attacker sends a large number of such specially crafted requests, the server’s memory may eventually be exhausted, leading to an OutOfMemoryException and a complete denial of service.

Affected Versions

The risk affects the following Tomcat versions:

  • Apache Tomcat 11.0.0-M2 to 11.0.5
  • Apache Tomcat 10.1.10 to 10.1.39
  • Apache Tomcat 9.0.76 to 9.0.102

It is important to note that while Tomcat 9.0.103 contained a fix, it was not officially released due to a failed release vote.

Therefore, users must upgrade to 9.0.104 or later to be protected.

Mitigation and Recommendations

The Apache Software Foundation strongly advises all users of affected versions to upgrade immediately to the latest patched releases:

  • Tomcat 11.0.6 or later
  • Tomcat 10.1.40 or later
  • Tomcat 9.0.104 or later

No alternative workarounds have been suggested, making prompt upgrading essential for organizations to avoid potential service disruptions.

Discovery and Response

The Apache Tomcat security team discovered the vulnerability.

The issue was publicly disclosed on April 28, 2025, with detailed advisories and recommendations published on the official Tomcat security pages.

Risk Factor Table

Risk FactorDescriptionSeverity
Vulnerability TypeImproper Input Validation, Memory Leak, Denial-of-Service (DoS)High
Attack VectorRemote (via specially crafted HTTP priority headers)High
ImpactOutOfMemoryException, Service Disruption, Potential Business DowntimeHigh
Affected VersionsTomcat 11.0.0-M2 to 11.0.5, 10.1.10 to 10.1.39, 9.0.76 to 9.0.102High
ExploitabilityHigh (requires sending a large number of malformed requests)High
MitigationUpgrade to patched versions (11.0.6, 10.1.40, 9.0.104 or later)Critical

Organizations using Apache Tomcat are urged to assess their deployments and act swiftly to mitigate the risk.

Failure to do so could leave critical web services vulnerable to disruption from targeted denial-of-service attacks.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates

AnuPriya
AnuPriya
Any Priya is a cybersecurity reporter at Cyber Press, specializing in cyber attacks, dark web monitoring, data breaches, vulnerabilities, and malware. She delivers in-depth analysis on emerging threats and digital security trends.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here