CVE-2025-31650
HIGHDescription
Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.90 though 8.5.100. Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.
Is your site exposed to CVE-2025-31650?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| apache | tomcat |
| apache | tomcat |
| apache | tomcat |
| apache | tomcat |
| apache | tomcat |
| apache | tomcat |
| apache | tomcat |
| apache | tomcat |
| apache | tomcat |
| apache | tomcat |
| apache | tomcat |
| apache | tomcat |
| apache | tomcat |
| apache | tomcat |
| apache | tomcat |
| apache | tomcat |
| apache | tomcat |
| apache | tomcat |
| apache | tomcat |
| apache | tomcat |
| apache | tomcat |
| apache | tomcat |
| apache | tomcat |
| apache | tomcat |
| apache | tomcat |
| apache | tomcat |
| apache | tomcat |
References
Frequently Asked Questions
What is CVE-2025-31650? +
How severe is CVE-2025-31650? +
What products are affected by CVE-2025-31650? +
How do I check if I'm vulnerable to CVE-2025-31650? +
Related Vulnerabilities
There is an incomplete cleanup vulnerability in Qt Network's Schannel support on Windows which can lead to a Denial of …
Improper cleanup of shared register resources in GPU firmware could allow an admin-privileged attacker from a Guest Virtual machine (VM) …
Due to improper Spring Security configuration, SAP Commerce Cloud allows an unauthenticated user to perform malicious input injection, resulting in …
SiYuan is self-hosted, open source personal knowledge management software. SiYuan Note version 3.1.18 has an arbitrary file deletion vulnerability. The …
IBOS v4.5.5 has an arbitrary file deletion vulnerability via \system\modules\dashboard\controllers\LoginController.php.
Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion. This issue affects Apache …