Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service.
This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5.
Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.
References
Link | Resource |
---|---|
https://lists.apache.org/thread/j6zzk0y3yym9pzfzkq5vcyxzz0yzh826 | Mailing List Vendor Advisory |
http://www.openwall.com/lists/oss-security/2025/04/28/2 | Mailing List Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
06 May 2025, 14:15
Type | Values Removed | Values Added |
---|---|---|
CWE |
05 May 2025, 20:12
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
First Time |
Apache
Apache tomcat |
|
CWE | CWE-459 | |
References | () https://lists.apache.org/thread/j6zzk0y3yym9pzfzkq5vcyxzz0yzh826 - Mailing List, Vendor Advisory | |
References | () http://www.openwall.com/lists/oss-security/2025/04/28/2 - Mailing List, Third Party Advisory | |
CPE | cpe:2.3:a:apache:tomcat:11.0.0:milestone11:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:11.0.0:milestone9:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:11.0.0:milestone5:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:11.0.0:milestone24:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:11.0.0:milestone15:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:11.0.0:milestone6:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:11.0.0:milestone19:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:11.0.0:milestone13:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:11.0.0:milestone18:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:11.0.0:milestone7:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:11.0.0:milestone25:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:11.0.0:milestone4:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:11.0.0:milestone2:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:11.0.0:milestone16:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:11.0.0:milestone10:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:11.0.0:milestone21:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:11.0.0:milestone23:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:11.0.0:milestone3:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:11.0.0:milestone12:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:11.0.0:milestone22:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:11.0.0:milestone17:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:11.0.0:milestone14:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:11.0.0:milestone8:*:*:*:*:*:* cpe:2.3:a:apache:tomcat:11.0.0:milestone20:*:*:*:*:*:* |
29 Apr 2025, 13:52
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
28 Apr 2025, 22:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
28 Apr 2025, 20:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2025-04-28 20:15
Updated : 2025-05-06 20:15
NVD link : CVE-2025-31650
Mitre link : CVE-2025-31650
CVE.ORG link : CVE-2025-31650
JSON object : View
Products Affected
apache
- tomcat
CWE
CWE-459
Incomplete Cleanup