Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <c78613d1-b199-41ea-b230-64ff88632a48@apache.org>
Date: Mon, 28 Apr 2025 20:15:46 +0100
From: Mark Thomas <markt@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-31650: Apache Tomcat: DoS via malformed HTTP/2
 PRIORITY_UPDATE frame

Severity: important

Affected versions:

- Apache Tomcat 9.0.76 through 9.0.102
- Apache Tomcat 10.1.10 through 10.1.39
- Apache Tomcat 11.0.0-M2 through 11.0.5

Description:

Improper Input Validation vulnerability in Apache Tomcat. Incorrect 
error handling for some invalid HTTP priority headers resulted in 
incomplete clean-up of the failed request which created a memory leak. A 
large number of such requests could trigger an OutOfMemoryException 
resulting in a denial of service.

This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 
10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5.

Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 
which fix the issue.

References:

https://lists.apache.org/thread/j6zzk0y3yym9pzfzkq5vcyxzz0yzh826
https://tomcat.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-31650

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.