← volver
CVE-2025-31650

Apache Tomcat: DoS via malformed HTTP/2 PRIORITY_UPDATE frame

CVSS 7.5 HIGHEPSS 66.4%CWE-459
Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.90 though 8.5.100. Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Productos afectados
Apache Software Foundation · Apache Tomcat
PoCs públicas encontradas8
githubgithub.com/absholi7ly/TomcatKiller-CVE-2025-3165020githubgithub.com/tunahantekeoglu/CVE-2025-316502githubgithub.com/sattarbug/Analysis-of-TomcatKiller---CVE-2025-31650-Exploit-Tool0githubgithub.com/assad12341/DOS-exploit0githubgithub.com/assad12341/Dos-exploit-0githubgithub.com/obscura-cert/CVE-2025-316500githubgithub.com/B1gN0Se/Tomcat-CVE-2025-316500exploitdbwww.exploit-db.com/exploits/52318no verificado
⚠ Recursos públicos, para evaluar la exposición de sistemas que controlas o estás autorizado a probar. Prueba solo con autorización.

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://lists.apache.org/thread/j6zzk0y3yym9pzfzkq5vcyxzz0yzh826https://lists.debian.org/debian-lts-announce/2025/07/msg00009.htmlhttp://www.openwall.com/lists/oss-security/2025/04/28/2