oss-sec mailing list archives

CVE-2025-31650: Apache Tomcat: DoS via malformed HTTP/2 PRIORITY_UPDATE frame

From: Mark Thomas <markt () apache org>
Date: Mon, 28 Apr 2025 20:15:46 +0100

Severity: important

Affected versions:

- Apache Tomcat 9.0.76 through 9.0.102
- Apache Tomcat 10.1.10 through 10.1.39
- Apache Tomcat 11.0.0-M2 through 11.0.5

Description:

Improper Input Validation vulnerability in Apache Tomcat. Incorrecterror handling for some invalid HTTP priority headers resulted inincomplete clean-up of the failed request which created a memory leak. Alarge number of such requests could trigger an OutOfMemoryExceptionresulting in a denial of service.

This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5.

Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6which fix the issue.


References:

https://lists.apache.org/thread/j6zzk0y3yym9pzfzkq5vcyxzz0yzh826
https://tomcat.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-31650

Current thread:

CVE-2025-31650: Apache Tomcat: DoS via malformed HTTP/2 PRIORITY_UPDATE frame Mark Thomas (Apr 28)