This vulnerability occurs due to improper input validation in Apache Tomcat when processing invalid HTTP priority headers. When a malformed priority header is received, Tomcat fails to clean up the associated request resources correctly, leading to a memory leak. Repeated exploitation of this flaw causes the JVM to accumulate memory until an `OutOfMemoryException` is triggered, crashing the server. The issue affects Tomcat versions 9.0.76 to 9.0.102, 10.1.10 to 10.1.39, and 11.0.0-M2 to 11.0.5.
Attackers can exploit this by sending a flood of crafted HTTP/2 requests with invalid priority headers, overwhelming the server. The memory leak persists even after connection termination, making it a persistent DoS vector. Patched versions (9.0.104, 10.1.40, 11.0.6) enforce proper header validation and cleanup.
DailyCVE Form:
Platform: Apache Tomcat
Version: 9.0.76-102
Vulnerability: Memory leak
Severity: Moderate
Date: 2025-04-28
What Undercode Say:
Exploitation:
1. Craft malicious HTTP/2 requests:
curl -X GET -H "Priority: invalid" http://target:8080
2. Automate flooding:
import requests
for _ in range(10000):
requests.get("http://target:8080", headers={"Priority": "invalid"})
Detection:
1. Check Tomcat logs for `OutOfMemoryError`:
grep -i "OutOfMemoryError" /var/log/tomcat/catalina.out
2. Monitor memory usage:
ps -eo pid,%mem,cmd | grep tomcat
Mitigation:
1. Upgrade Tomcat:
wget https://dlcdn.apache.org/tomcat/tomcat-11/v11.0.6/bin/apache-tomcat-11.0.6.tar.gz
2. Restrict HTTP/2:
<Connector port="8080" protocol="HTTP/1.1" />
3. Limit request headers:
<Connector ... maxHttpHeaderSize="8192" />
Debugging:
1. Enable verbose GC logging:
export JAVA_OPTS="-XX:+PrintGCDetails -Xloggc:/tmp/gc.log"
2. Analyze heap dump:
jmap -dump:format=b,file=heap.bin <pid>
References:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
