A significant vulnerability, CVE-2025-31650, has been discovered in Apache Tomcat, a widely used Java application server. This high-severity flaw can allow attackers to bypass security rules and trigger denial-of-service (DoS) conditions by manipulating HTTP Priority headers. The vulnerability stems from improper input validation in how Tomcat handles these headers, leading to memory leaks and potential application crashes when malformed requests are sent. As the server processes invalid HTTP headers, it fails to properly clean up resources, resulting in an OutOfMemoryException.
The flaw affects multiple versions of Apache Tomcat, including versions 9.0.76–9.0.102, 10.1.10–10.1.39, and 11.0.0-M2–11.0.5.
Attackers can exploit this vulnerability without authentication, simply by sending numerous malformed HTTP requests. Once triggered, the memory leak leads to a denial of service, rendering the application unavailable. Apache Tomcat’s failure to release unused memory exacerbates this issue, ultimately causing the system to reach its maximum allocated memory and crash.
The vulnerability represents a significant risk for organizations using these affected versions. Apache Software Foundation has recommended immediate upgrades to patched versions: 9.0.104, 10.1.40, or 11.0.6. While version 9.0.103 contained a fix, it was excluded due to a failed release vote. This vulnerability marks the second major security issue discovered in Apache Tomcat in recent months, following a critical remote code execution vulnerability disclosed in March 2025.
In light of the critical nature of this issue, organizations relying on Apache Tomcat are urged to prioritize patching vulnerable systems to avoid potential service disruptions.
The vulnerability’s ease of exploitation and the potential for widespread impact make it a serious concern for anyone using affected versions of the software. Immediate action is strongly advised to prevent malicious actors from taking advantage of this flaw.