CVE-2025-31650
Improper Input Validation vulnerability in tomcat-embed-core (Maven)
What is CVE-2025-31650 About?
This Improper Input Validation vulnerability in Apache Tomcat (versions 9.0.76-9.0.102, 10.1.10-10.1.39, 11.0.0-M2-11.0.5) leads to incomplete clean-up of failed HTTP requests for invalid priority headers. This defect results in a memory leak, which can be exploited to cause a denial-of-service through an OutOfMemoryException. Exploitation is remote and requires sending a large number of malformed requests.
Affected Software
- org.apache.tomcat:tomcat-coyote
- >8.5.0, <=8.5.100
- >10.1.10, <10.1.40
- >9.0.76, <9.0.104
- >11.0.0-M2, <11.0.6
- org.apache.tomcat.embed:tomcat-embed-core
- >8.5.0, <=8.5.100
- >10.1.10, <10.1.40
- >9.0.76, <9.0.104
- >11.0.0-M2, <11.0.6
Technical Details
The vulnerability affects Apache Tomcat and stems from incorrect error handling related to invalid HTTP priority headers. When Tomcat receives requests with malformed or invalid HTTP priority headers, its error handling mechanism fails to perform a complete clean-up of the resources associated with that failed request. This incomplete clean-up leads to a memory leak. An attacker can repeatedly send a large number of such requests, continuously triggering the memory leak. Over time, the cumulative effect of these unreleased memory allocations will exhaust the server's available memory, eventually leading to an OutOfMemoryException and causing a denial of service for the Tomcat instance.
What is the Impact of CVE-2025-31650?
Successful exploitation may allow attackers to cause a denial of service, leading to service unavailability, resource exhaustion (memory leak), and system instability.
What is the Exploitability of CVE-2025-31650?
Exploitation of this vulnerability is of moderate complexity. An attacker needs to craft HTTP requests with invalid priority headers and send a large volume of them to the vulnerable Tomcat server. No authentication or specific privileges are required, as the vulnerability affects the initial request processing. This is a remote attack. The main condition is that the Tomcat server is running one of the affected versions and is directly accessible to the attacker. The risk of exploitation is heightened because it can lead to a complete service outage with relatively simple malformed requests, making it an attractive target for denial-of-service attacks.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| absholi7ly | Link | A tool designed to detect the vulnerability **CVE-2025-31650** in Apache Tomcat (versions 10.1.10 to 10.1.39) |
| tunahantekeoglu | Link | CVE-2025-31650 PoC |
| sattarbug | Link | PoC for CVE-2025-31650 |
What are the Available Fixes for CVE-2025-31650?
About the Fix from Resolved Security
The patch improves error handling in the HTTP/2 upgrade handler by adding a catch block for all unexpected Throwables, ensuring they are properly handled and the connection is closed. This fixes CVE-2025-31650 by preventing unhandled exceptions from leaving the server in an inconsistent state, which could be exploited for denial of service.
Available Upgrade Options
- org.apache.tomcat:tomcat-coyote
- >9.0.76, <9.0.104 → Upgrade to 9.0.104
- org.apache.tomcat:tomcat-coyote
- >10.1.10, <10.1.40 → Upgrade to 10.1.40
- org.apache.tomcat:tomcat-coyote
- >11.0.0-M2, <11.0.6 → Upgrade to 11.0.6
- org.apache.tomcat.embed:tomcat-embed-core
- >9.0.76, <9.0.104 → Upgrade to 9.0.104
- org.apache.tomcat.embed:tomcat-embed-core
- >10.1.10, <10.1.40 → Upgrade to 10.1.40
- org.apache.tomcat.embed:tomcat-embed-core
- >11.0.0-M2, <11.0.6 → Upgrade to 11.0.6
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/apache/tomcat/commit/b7674782679e1514a0d154166b1d04d38aaac4a9
- https://github.com/apache/tomcat/commit/40ae788c2e64d018b4e58cd4210bb96434d0100d
- https://nvd.nist.gov/vuln/detail/CVE-2025-31650
- https://lists.apache.org/thread/j6zzk0y3yym9pzfzkq5vcyxzz0yzh826
- https://lists.apache.org/thread/j6zzk0y3yym9pzfzkq5vcyxzz0yzh826
- https://github.com/apache/tomcat/commit/cba1a0fe1289ee7f5dd46c61c38d1e1ac5437bff
- https://github.com/apache/tomcat/commit/ded0285b96b4d3f5560dfc8856ad5ec4a9b50ba9
- https://osv.dev/vulnerability/GHSA-3p2h-wqq4-wf4h
- https://github.com/apache/tomcat/commit/1eef1dc459c45f1e421d8bd25ef340fc1cc34edc
- https://github.com/apache/tomcat/commit/8cc3b8fb3f2d8d4d6a757e014f19d1fafa948a60
What are Similar Vulnerabilities to CVE-2025-31650?
Similar Vulnerabilities: CVE-2023-46589 , CVE-2023-28956 , CVE-2023-28114 , CVE-2022-26135 , CVE-2021-41031
