Severity: important
Affected versions:
- Apache Tomcat 9.0.76 through 9.0.102
- Apache Tomcat 10.1.10 through 10.1.39
- Apache Tomcat 11.0.0-M2 through 11.0.5
Description:
Improper Input Validation vulnerability in Apache Tomcat. Incorrect
error handling for some invalid HTTP priority headers resulted in
incomplete clean-up of the failed request which created a memory leak. A
large number of such requests could trigger an OutOfMemoryException
resulting in a denial of service.
This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from
10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5.
Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6
which fix the issue.
References:
https://lists.apache.org/thread/j6zzk0y3yym9pzfzkq5vcyxzz0yzh826
https://tomcat.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-31650
