Apache Tomcat Vulnerability Let Bypass Rules & Trigger DoS Condition
The Apache Software Foundation disclosed a significant security vulnerability in Apache Tomcat that could allow attackers to bypass security rules and trigger denial-of-service conditions through manipulated HTTP priority headers.
Identified as CVE-2025-31650, this high-severity vulnerability affects multiple Tomcat versions, posing a significant security risk to organizations relying on this popular Java application server.
Apache Tomcat Denial of Service Vulnerability
The vulnerability stems from improper input validation in Apache Tomcat’s handling of HTTP Priority headers.
.png
"Apache Tomcat Vulnerability Let Bypass Rules & Trigger DoS Condition 2")
According to the security advisory, “Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak”.
When attackers send numerous malformed requests containing invalid HTTP priority headers, they can trigger an OutOfMemoryException, effectively causing a denial of service that renders the application unavailable.
The HTTP Priority header is a legitimate component of web communications that indicates a client’s preference for the priority order in which responses should be delivered.
However, this new vulnerability shows that Tomcat’s processing of these headers contains a flaw that fails to properly validate and sanitize input.
| Risk Factors | Details |
| Affected Products | Apache Tomcat 9.0.76–9.0.102Apache Tomcat 10.1.10–10.1.39Apache Tomcat 11.0.0-M2–11.0.5 |
| Impact | Denial of Service (DoS) |
| Exploit Prerequisites | Attacker must send a large number of HTTP requests with invalid HTTP priority headers; no authentication required |
| CVSS 3.1 Score | High |
Affected Versions
The vulnerability impacts the following Apache Tomcat versions:
- Apache Tomcat 11.0.0-M2 to 11.0.5
- Apache Tomcat 10.1.10 to 10.1.39
- Apache Tomcat 9.0.76 to 9.0.102
Users of these versions should immediately consider upgrading to patched versions.
The vulnerability exploits how Tomcat handles memory resources. When the server receives an invalid HTTP Priority header, it fails to properly clean up resources, creating a memory leak.
As noted in the report, a “large number of such requests could trigger an OutOfMemoryException resulting in a denial of service”.
This is reminiscent of previous Java application memory issues. As one system administrator noted in previous incidents, “Tomcat is unable to release unused memory. It just adds the memory and reaches its maximum allocated memory”.
Mitigation
The Apache Software Foundation recommends the following mitigations:
- Upgrade to Apache Tomcat 11.0.6 or later
- Upgrade to Apache Tomcat 10.1.40 or later
- Upgrade to Apache Tomcat 9.0.104 or later
Although version 9.0.103 contained fixes for this issue, “the release vote for the 9.0.103 release candidate did not pass,” so this version is not included among the affected versions despite containing the fix.
This marks the second major Apache Tomcat vulnerability in recent months. In March 2025, CVE-2025-24813 was disclosed, a critical remote code execution vulnerability with a CVSS score of 9.8 that allowed attackers to take control of vulnerable servers.
Given the critical nature of this vulnerability and its potential to completely disable web applications, immediate action is strongly recommended.
Are you from the SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
Source link
