CVE-2025-31650

HIGH7.5EPSS 10.9%

Apache Tomcat: DoS via malformed HTTP/2 PRIORITY_UPDATE frame

發布日:2025/4/28修改日:2026/4/28

描述

Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.90 though 8.5.100. Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.

受影響套件(6)

Bitnami/tomcat>= 9.0.76, < 9.0.104, >= 10.1.10, < 10.1.40, >= 11.0.0, < 11.0.6
Debian/tomcat10from 0, < 10.1.40-1
Debian/tomcat11from 0, < 11.0.6-1
Debian/tomcat9from 0, < 9.0.107-0+deb11u1
Maven/org.apache.tomcat.embed:tomcat-embed-core>= 9.0.76, < 9.0.104
Maven/org.apache.tomcat:tomcat-coyote>= 9.0.76, < 9.0.104

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

描述

受影響套件(6)

CVSS 分數

參考連結(18)