CVE-2025-31650: 
Java vulnerability analysis and mitigation

A critical vulnerability (CVE-2025-31650) was discovered in Apache Tomcat, involving improper input validation in handling HTTP priority headers. The vulnerability affects multiple versions of Apache Tomcat: versions 9.0.76 through 9.0.102, 10.1.10 through 10.1.39, and 11.0.0-M2 through 11.0.5. The issue was disclosed on April 28, 2025 (OSS Security, NVD).

The vulnerability stems from incorrect error handling of invalid HTTP priority headers, which results in incomplete cleanup of failed requests. This implementation flaw creates a memory leak condition in the system. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating network accessibility with low attack complexity and no required privileges or user interaction (NVD).

When exploited, this vulnerability can lead to a denial of service condition through resource exhaustion. Specifically, a large number of malformed requests can trigger an OutOfMemoryException, making the server unresponsive (NVD).

Users are strongly recommended to upgrade to the fixed versions: Apache Tomcat 9.0.104, 10.1.40, or 11.0.6. These versions contain the necessary patches to address the vulnerability (Apache Advisory).