VDB
DEBIAN-CVE-2025-31650
DEBIAN-CVE-2025-31650
PUBLISHED
CVSS 7.5 HIGH
Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.90 though 8.5.100. Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.
Risk Scores
CVSS v3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:14 | tomcat11 | 0, 0 |
| Debian:12 | tomcat10 | 10.1.8-1, 10.1.9-1, 10.1.8-1 |
| Debian:12 | tomcat9 | 0, 0 |
| Debian:14 | tomcat10 | 0, 0 |
| Debian:13 | tomcat11 | 0, 0 |
| Debian:13 | tomcat10 | 0, 0 |
| Debian:13 | tomcat9 | 0, 0 |
| Debian:14 | tomcat9 | 0, 0 |
| Debian:11 | tomcat9 | 9.0.67-1, 9.0.65-1, 9.0.64-2 |
Timeline
- Apr 28, 2025 CVE Published
- Apr 28, 2026 CVE Updated