CVE-2025-31650: Apache Tomcat Flaw Allows Rule Bypass and Server Disruption

Published Date: May 5, 2025

Category: ShadowOpsIntel

A high-severity vulnerability in Apache Tomcat—CVE-2025-31650—was disclosed by the Apache Software Foundation. The flaw allows attackers to bypass security rules and cause Denial of Service (DoS) by exploiting malformed HTTP Priority headers, leading to memory leaks and eventual OutOfMemoryException.

Severity Level: High

VULNERABILITY OVERVIEW:

Vulnerability Details:
- CVE ID: CVE-2025-31650
- Type: Denial-of-Service (DoS) via Memory Leak
- Component Affected: Apache Tomcat’s handling of HTTP/2 Priority headers
- CVSS v3.1 score: High (exact score not given, likely 7.5–8.6 based on impact)
- Affected Versions: Apache Tomcat versions – 9.0.76 to 9.0.102, 10.1.10 to 10.1.39, 11.0.0-M2 to 11.0.5
Root Cause:
- The vulnerability lies in the HTTP/2 Priority header parsing mechanism. Specifically:
- Improper input validation of malformed or invalid Priority headers.
- When Tomcat receives a malformed request, it attempts to parse the header.
- Instead of rejecting and releasing all resources, Tomcat fails to clean up the request’s memory structures due to flawed error handling.
- This causes a memory leak — memory allocated to the request is not freed.
- Repetition of such requests eventually leads to heap exhaustion, triggering an OutOfMemoryException, resulting in server crash or hang (DoS).
Exploitation of the Vulnerability:
- Prerequisites:
  - No authentication required.
  - Server must be running an affected version of Apache Tomcat with HTTP/2 support.
- Exploitation Steps:
  - Craft multiple HTTP/2 requests with deliberately malformed Priority headers.
  - Flood the server with these requests at high volume.
  - Tomcat tries to process them, fails error cleanup, and accumulates memory usage.
  - Eventually, the server hits a heap memory limit.
- Results in:
  - OutOfMemoryException
  - Denial-of-Service (DoS) as the server becomes unresponsive.