High Severity Vulnerability
This vulnerability has been rated as High severity. Immediate action is recommended.
CVE-2025-31650
High
Low
Medium
High
Critical
7.5
CVSS Score
Published: Apr 28, 2025
Last Modified: Nov 03, 2025
Vulnerability Description
Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service.
This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.90 though 8.5.100.
Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.
CVSS Metrics
Common Vulnerability Scoring System
Vector String:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
N
Attack Complexity
L
Privileges Required
N
User Interaction
N
Scope
U
Confidentiality
N
Integrity
N
Availability
H
Known Affected Software
63 configuration(s) from 1 vendor(s)
tomcat
Version:
9.0.93
CPE:
cpe:2.3:a:apache:tomcat:9.0.93:*:*:*:*:*:*:*
tomcat
Version:
10.1.13
CPE:
cpe:2.3:a:apache:tomcat:10.1.13:*:*:*:*:*:*:*
tomcat
Version:
10.1.31
CPE:
cpe:2.3:a:apache:tomcat:10.1.31:*:*:*:*:*:*:*
tomcat
Version:
9.0.102
CPE:
cpe:2.3:a:apache:tomcat:9.0.102:*:*:*:*:*:*:*
tomcat
Version:
9.0.95
CPE:
cpe:2.3:a:apache:tomcat:9.0.95:*:*:*:*:*:*:*
tomcat
Version:
9.0.101
CPE:
cpe:2.3:a:apache:tomcat:9.0.101:*:*:*:*:*:*:*
tomcat
Version:
10.1.34
CPE:
cpe:2.3:a:apache:tomcat:10.1.34:*:*:*:*:*:*:*
tomcat
Version:
10.1.25
CPE:
cpe:2.3:a:apache:tomcat:10.1.25:*:*:*:*:*:*:*
tomcat
Version:
9.0.92
CPE:
cpe:2.3:a:apache:tomcat:9.0.92:*:*:*:*:*:*:*
tomcat
Version:
10.1.20
CPE:
cpe:2.3:a:apache:tomcat:10.1.20:*:*:*:*:*:*:*
tomcat
Version:
10.1.33
CPE:
cpe:2.3:a:apache:tomcat:10.1.33:*:*:*:*:*:*:*
tomcat
Version:
9.0.90
CPE:
cpe:2.3:a:apache:tomcat:9.0.90:*:*:*:*:*:*:*
tomcat
Version:
10.1.32
CPE:
cpe:2.3:a:apache:tomcat:10.1.32:*:*:*:*:*:*:*
tomcat
Version:
9.0.80
CPE:
cpe:2.3:a:apache:tomcat:9.0.80:*:*:*:*:*:*:*
tomcat
Version:
10.1.15
CPE:
cpe:2.3:a:apache:tomcat:10.1.15:*:*:*:*:*:*:*
tomcat
Version:
10.1.28
CPE:
cpe:2.3:a:apache:tomcat:10.1.28:*:*:*:*:*:*:*
tomcat
Version:
10.1.30
CPE:
cpe:2.3:a:apache:tomcat:10.1.30:*:*:*:*:*:*:*
tomcat
Version:
9.0.82
CPE:
cpe:2.3:a:apache:tomcat:9.0.82:*:*:*:*:*:*:*
tomcat
Version:
9.0.103
CPE:
cpe:2.3:a:apache:tomcat:9.0.103:*:*:*:*:*:*:*
tomcat
Version:
11.0.4
CPE:
cpe:2.3:a:apache:tomcat:11.0.4:*:*:*:*:*:*:*
tomcat
Version:
9.0.96
CPE:
cpe:2.3:a:apache:tomcat:9.0.96:*:*:*:*:*:*:*
tomcat
Version:
11.0.2
CPE:
cpe:2.3:a:apache:tomcat:11.0.2:*:*:*:*:*:*:*
tomcat
Version:
10.1.37
CPE:
cpe:2.3:a:apache:tomcat:10.1.37:*:*:*:*:*:*:*
tomcat
Version:
10.1.14
CPE:
cpe:2.3:a:apache:tomcat:10.1.14:*:*:*:*:*:*:*
tomcat
Version:
9.0.81
CPE:
cpe:2.3:a:apache:tomcat:9.0.81:*:*:*:*:*:*:*
tomcat
Version:
10.1.24
CPE:
cpe:2.3:a:apache:tomcat:10.1.24:*:*:*:*:*:*:*
tomcat
Version:
9.0.99
CPE:
cpe:2.3:a:apache:tomcat:9.0.99:*:*:*:*:*:*:*
tomcat
Version:
9.0.79
CPE:
cpe:2.3:a:apache:tomcat:9.0.79:*:*:*:*:*:*:*
tomcat
Version:
10.1.23
CPE:
cpe:2.3:a:apache:tomcat:10.1.23:*:*:*:*:*:*:*
tomcat
Version:
10.1.18
CPE:
cpe:2.3:a:apache:tomcat:10.1.18:*:*:*:*:*:*:*
tomcat
Version:
10.1.38
CPE:
cpe:2.3:a:apache:tomcat:10.1.38:*:*:*:*:*:*:*
tomcat
Version:
9.0.78
CPE:
cpe:2.3:a:apache:tomcat:9.0.78:*:*:*:*:*:*:*
tomcat
Version:
10.1.22
CPE:
cpe:2.3:a:apache:tomcat:10.1.22:*:*:*:*:*:*:*
tomcat
Version:
11.0.0
CPE:
cpe:2.3:a:apache:tomcat:11.0.0:milestone26:*:*:*:*:*:*
tomcat
Version:
9.0.88
CPE:
cpe:2.3:a:apache:tomcat:9.0.88:*:*:*:*:*:*:*
tomcat
Version:
10.1.16
CPE:
cpe:2.3:a:apache:tomcat:10.1.16:*:*:*:*:*:*:*
tomcat
Version:
10.1.26
CPE:
cpe:2.3:a:apache:tomcat:10.1.26:*:*:*:*:*:*:*
tomcat
Version:
10.1.35
CPE:
cpe:2.3:a:apache:tomcat:10.1.35:*:*:*:*:*:*:*
tomcat
Version:
10.1.17
CPE:
cpe:2.3:a:apache:tomcat:10.1.17:*:*:*:*:*:*:*
tomcat
Version:
10.1.11
CPE:
cpe:2.3:a:apache:tomcat:10.1.11:*:*:*:*:*:*:*
tomcat
Version:
11.0.5
CPE:
cpe:2.3:a:apache:tomcat:11.0.5:*:*:*:*:*:*:*
tomcat
Version:
10.1.19
CPE:
cpe:2.3:a:apache:tomcat:10.1.19:*:*:*:*:*:*:*
tomcat
Version:
9.0.97
CPE:
cpe:2.3:a:apache:tomcat:9.0.97:*:*:*:*:*:*:*
tomcat
Version:
9.0.86
CPE:
cpe:2.3:a:apache:tomcat:9.0.86:*:*:*:*:*:*:*
tomcat
Version:
9.0.83
CPE:
cpe:2.3:a:apache:tomcat:9.0.83:*:*:*:*:*:*:*
tomcat
Version:
9.0.98
CPE:
cpe:2.3:a:apache:tomcat:9.0.98:*:*:*:*:*:*:*
tomcat
Version:
9.0.85
CPE:
cpe:2.3:a:apache:tomcat:9.0.85:*:*:*:*:*:*:*
tomcat
Version:
10.1.27
CPE:
cpe:2.3:a:apache:tomcat:10.1.27:*:*:*:*:*:*:*
tomcat
Version:
11.0.3
CPE:
cpe:2.3:a:apache:tomcat:11.0.3:*:*:*:*:*:*:*
tomcat
Version:
10.1.10
CPE:
cpe:2.3:a:apache:tomcat:10.1.10:*:*:*:*:*:*:*
tomcat
Version:
10.1.39
CPE:
cpe:2.3:a:apache:tomcat:10.1.39:*:*:*:*:*:*:*
tomcat
Version:
9.0.89
CPE:
cpe:2.3:a:apache:tomcat:9.0.89:*:*:*:*:*:*:*
tomcat
Version:
9.0.77
CPE:
cpe:2.3:a:apache:tomcat:9.0.77:*:*:*:*:*:*:*
tomcat
Version:
9.0.91
CPE:
cpe:2.3:a:apache:tomcat:9.0.91:*:*:*:*:*:*:*
tomcat
Version:
9.0.94
CPE:
cpe:2.3:a:apache:tomcat:9.0.94:*:*:*:*:*:*:*
tomcat
Version:
10.1.36
CPE:
cpe:2.3:a:apache:tomcat:10.1.36:*:*:*:*:*:*:*
tomcat
Version:
9.0.76
CPE:
cpe:2.3:a:apache:tomcat:9.0.76:*:*:*:*:*:*:*
tomcat
Version:
9.0.100
CPE:
cpe:2.3:a:apache:tomcat:9.0.100:*:*:*:*:*:*:*
tomcat
Version:
9.0.87
CPE:
cpe:2.3:a:apache:tomcat:9.0.87:*:*:*:*:*:*:*
tomcat
Version:
10.1.12
CPE:
cpe:2.3:a:apache:tomcat:10.1.12:*:*:*:*:*:*:*
tomcat
Version:
10.1.29
CPE:
cpe:2.3:a:apache:tomcat:10.1.29:*:*:*:*:*:*:*
tomcat
Version:
11.0.1
CPE:
cpe:2.3:a:apache:tomcat:11.0.1:*:*:*:*:*:*:*
tomcat
Version:
9.0.84
CPE:
cpe:2.3:a:apache:tomcat:9.0.84:*:*:*:*:*:*:*
This vulnerability affects 63 software configuration(s). Ensure you patch all affected systems.
Oracle
CPUOCT2025
Oracle Critical Patch Update Advisory - October 2025
Severity
Critical
Released
Oct 21, 2025
Restart Required
Security Update
Oracle
CPUJUL2025
Oracle Critical Patch Update Advisory - July 2025
Severity
Critical
Released
Jul 15, 2025
Restart Required
Security Update
SUSE
CVE-2025-31650
CVE-2025-31650
Severity
Unknown
Released
Apr 29, 2025
Security Update
References & Resources
-
https://lists.apache.org/thread/j6zzk0y3yym9pzfzkq5vcyxzz0yzh826security@apache.org Mailing List Vendor Advisory
-
http://www.openwall.com/lists/oss-security/2025/04/28/2af854a3a-2127-422b-91ae-364da2661108 Mailing List Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2025/07/msg00009.htmlaf854a3a-2127-422b-91ae-364da2661108
Severity Details
7.5
out of 10.0
High
Key Information
- Published Date
- April 28, 2025
