CVE-2025-31650: 
Java vulnerability analysis and mitigation

A critical vulnerability (CVE-2025-31650) was discovered in Apache Tomcat, identified as an Improper Input Validation issue. The vulnerability affects multiple versions of Apache Tomcat: versions 9.0.76 through 9.0.102, 10.1.10 through 10.1.39, and 11.0.0-M2 through 11.0.5. The vulnerability was disclosed on April 28, 2025, and involves incorrect error handling for invalid HTTP priority headers (NVD, Apache Advisory).

The vulnerability stems from improper handling of invalid HTTP priority headers in Apache Tomcat's request processing. When invalid HTTP priority headers are received, the error handling mechanism fails to properly clean up the failed request, resulting in a memory leak. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a high-severity issue with network accessibility and no required privileges or user interaction (NVD).

The primary impact of this vulnerability is the potential for denial of service (DoS) attacks. When exploited, a large number of malformed requests can trigger an OutOfMemoryException, causing the affected Tomcat server to become unresponsive. The memory leak caused by incomplete cleanup of failed requests can accumulate over time, eventually exhausting the server's available memory resources (NVD, OSS Security).

Users are strongly recommended to upgrade to the fixed versions: Apache Tomcat 9.0.104, 10.1.40, or 11.0.6, which contain the necessary patches to address this vulnerability. The fixes have been implemented through several commits that improve the handling of invalid HTTP priority headers and ensure proper cleanup of failed requests (Apache Advisory, Debian Tracker).