CVE-2025-31650

HIGH

CVSS v3

7.5

HIGH

EPSS Score

15.6%

exploit probability

CISA KEV

No

known exploited

Exploitation

SSVC status

Description

Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.90 though 8.5.100. Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.

Technical Details

Published
4/28/2025
Exploit-DB
EDB-52318

Frequently Asked Questions

What is CVE-2025-31650?

Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.90 though 8.5.100. Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.

Is CVE-2025-31650 actively exploited?

Active exploitation of CVE-2025-31650 has not been confirmed. The EPSS score is 15.6%, indicating the estimated probability of exploitation in the next 30 days.

What is the CVSS score for CVE-2025-31650?

CVE-2025-31650 has a CVSS v3 base score of 7.5 (HIGH severity).

Is CVE-2025-31650 affecting your environment?

Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.