Apache Tomcat Vulnerability Let Attackers Bypass Rules & Trigger DoS Condition
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
The Apache Software Foundation disclosed a significant security vulnerability in Apache Tomcat that could allow attackers to bypass security rules and trigger denial-of-service conditions through manipulated HTTP priority headers.
Identified as CVE-2025-31650, this high-severity vulnerability affects multiple Tomcat versions, posing a significant security risk to organizations relying on this popular Java application server.
Apache Tomcat Denial of Service Vulnerability
The vulnerability stems from improper input validation in Apache Tomcat’s handling of HTTP Priority headers.
According to the security advisory, “Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak”.
When attackers send numerous malformed requests containing invalid HTTP priority headers, they can trigger an OutOfMemoryException, effectively causing a denial of service that renders the application unavailable.
The HTTP Priority header is a legitimate component of web communications that indicates a client’s preference for the priority order in which responses should be delivered.
However, this new vulnerability shows that Tomcat’s processing of these headers contains a flaw that fails to properly validate and sanitize input.
Risk Factors Details Affected ProductsApache Tomcat 9.0.76–9.0.102Apache Tomcat 10.1.10–10.1.39Apache Tomcat 11.0.0-M2–11.0.5ImpactDenial of Service (DoS)Exploit PrerequisitesAttacker must send a large number of HTTP requests with invalid HTTP priority headers; no authentication requiredCVSS 3.1 ScoreHigh
Affected Versions
The vulnerability impacts the following Apache Tomcat versions:
Users of these versions should immediately consider upgrading to patched versions.
The vulnerability exploits how Tomcat handles memory resources. When the server receives an invalid HTTP Priority header, it fails to properly clean up resources, creating a memory leak.
As noted in the report, a “large number of such requests could trigger an OutOfMemoryException resulting in a denial of service”.
This is reminiscent of previous Java application memory issues. As one system administrator noted in previous incidents, “Tomcat is unable to release unused memory. It just adds the memory and reaches its maximum allocated memory”.
Mitigation
The Apache Software Foundation recommends the following mitigations:
Although version 9.0.103 contained fixes for this issue, “the release vote for the 9.0.103 release candidate did not pass,” so this version is not included among the affected versions despite containing the fix.
This marks the second major Apache Tomcat vulnerability in recent months. In March 2025, CVE-2025-24813 was disclosed, a critical remote code execution vulnerability with a CVSS score of 9.8 that allowed attackers to take control of vulnerable servers.
Given the critical nature of this vulnerability and its potential to completely disable web applications, immediate action is strongly recommended.
#Apache #Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
Apache Tomcat Vulnerability Let Attackers Bypass Rules & Trigger DoS Condition
Author: Guru BaranThe Apache Software Foundation disclosed a significant security vulnerability in Apache Tomcat that could allow attackers to bypass security rules and trigger denial-of-service conditions through manipulated HTTP priority headers.
Identified as CVE-2025-31650, this high-severity vulnerability affects multiple Tomcat versions, posing a significant security risk to organizations relying on this popular Java application server.
Apache Tomcat Denial of Service Vulnerability
The vulnerability stems from improper input validation in Apache Tomcat’s handling of HTTP Priority headers.
According to the security advisory, “Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak”.
When attackers send numerous malformed requests containing invalid HTTP priority headers, they can trigger an OutOfMemoryException, effectively causing a denial of service that renders the application unavailable.
The HTTP Priority header is a legitimate component of web communications that indicates a client’s preference for the priority order in which responses should be delivered.
However, this new vulnerability shows that Tomcat’s processing of these headers contains a flaw that fails to properly validate and sanitize input.
Risk Factors Details Affected ProductsApache Tomcat 9.0.76–9.0.102Apache Tomcat 10.1.10–10.1.39Apache Tomcat 11.0.0-M2–11.0.5ImpactDenial of Service (DoS)Exploit PrerequisitesAttacker must send a large number of HTTP requests with invalid HTTP priority headers; no authentication requiredCVSS 3.1 ScoreHigh
Affected Versions
The vulnerability impacts the following Apache Tomcat versions:
- Apache Tomcat 11.0.0-M2 to 11.0.5
- Apache Tomcat 10.1.10 to 10.1.39
- Apache Tomcat 9.0.76 to 9.0.102
Users of these versions should immediately consider upgrading to patched versions.
The vulnerability exploits how Tomcat handles memory resources. When the server receives an invalid HTTP Priority header, it fails to properly clean up resources, creating a memory leak.
As noted in the report, a “large number of such requests could trigger an OutOfMemoryException resulting in a denial of service”.
This is reminiscent of previous Java application memory issues. As one system administrator noted in previous incidents, “Tomcat is unable to release unused memory. It just adds the memory and reaches its maximum allocated memory”.
Mitigation
The Apache Software Foundation recommends the following mitigations:
- Upgrade to Apache Tomcat 11.0.6 or later
- Upgrade to Apache Tomcat 10.1.40 or later
- Upgrade to Apache Tomcat 9.0.104 or later
Although version 9.0.103 contained fixes for this issue, “the release vote for the 9.0.103 release candidate did not pass,” so this version is not included among the affected versions despite containing the fix.
This marks the second major Apache Tomcat vulnerability in recent months. In March 2025, CVE-2025-24813 was disclosed, a critical remote code execution vulnerability with a CVSS score of 9.8 that allowed attackers to take control of vulnerable servers.
Given the critical nature of this vulnerability and its potential to completely disable web applications, immediate action is strongly recommended.
#Apache #Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
