SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2025-31650

CVE-2025-31650: Apache Tomcat Memory Leak DOS Vulnerability

CVE-2025-31650 is a denial of service vulnerability in Apache Tomcat caused by improper handling of invalid HTTP priority headers, leading to memory leaks. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-31650 Overview

Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service.

Critical Impact

Memory leak leading to potential denial of service.

Affected Products

  • Apache Tomcat 9.0.76 through 9.0.102
  • Apache Tomcat 10.1.10 through 10.1.39
  • Apache Tomcat 11.0.0-M2 through 11.0.5

Discovery Timeline

  • 2025-04-28 - CVE CVE-2025-31650 published to NVD
  • 2025-11-03 - Last updated in NVD database

Technical Details for CVE-2025-31650

Vulnerability Analysis

The vulnerability arises from improper input validation when handling certain malformed HTTP headers. This can lead to a memory leak and potentially cause the server to exhaust memory resources, resulting in a denial-of-service condition.

Root Cause

The root cause is the improper handling and incomplete cleanup of invalid HTTP priority headers, which fails to release memory allocated for them.

Attack Vector

Attackers can exploit this vulnerability remotely via specially crafted HTTP requests containing invalid priority headers. This does not require authentication and can be executed across a network.

java
// Example exploitation code (sanitized)
public class HttpClientDoS {
    public static void main(String[] args) {
        for (int i = 0; i < 10000; i++) {
            sendInvalidHeaderRequest();
        }
    }

    private static void sendInvalidHeaderRequest() {
        // Send HTTP request with malformed priority header
        // Triggering potential memory leak
    }
}

Detection Methods for CVE-2025-31650

Indicators of Compromise

  • Unusual memory usage on Tomcat servers
  • Frequent OutOfMemoryExceptions
  • Large numbers of invalid HTTP header requests

Detection Strategies

Implementation of monitoring scripts to log and alert abnormal numbers of malformed HTTP requests or spikes in memory usage through tools like Prometheus or Grafana can be effective.

Monitoring Recommendations

Enable detailed logging on Apache Tomcat to capture malformed HTTP headers. Monitor application logs for OutOfMemoryExceptions or frequent invalid requests.

How to Mitigate CVE-2025-31650

Immediate Actions Required

  • Restrict network access to the Tomcat server
  • Implement rate limiting on incoming HTTP requests
  • Deploy application security tools to monitor incoming traffic

Patch Information

Upgrade to Apache Tomcat version 9.0.104, 10.1.40, or 11.0.6, which have resolved the improper validation issue.

Workarounds

Configure a reverse proxy to filter out requests with invalid headers before reaching Apache Tomcat.

bash
# Configuration example
<Location "/server-status">
    SetHandler server-status
    Require host example.com
    # ProxyPass configuration to reject invalid headers
    ProxyPass "http://tomcat.example.com/"
    ProxyPassReverse "http://tomcat.example.com/"
</Location>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne