Security Flaw in Apache Tomcat Can Lead to Server Shutdown

A new security vulnerability has been discovered in Apache Tomcat, one of the world’s most widely used Java application servers, posing a significant threat. Announced by the Apache Software Foundation, this vulnerability serves as a critical warning for cybersecurity professionals and organizations.

Labeled CVE-2025-31650, the vulnerability affects multiple versions of the Tomcat application server. It allows attackers to overload server memory by using malformed HTTP Priority headers, triggering a Denial of Service (DoS) condition.

Due to improper handling of priority headers in HTTP requests, Apache Tomcat fails to fully clear erroneous requests. This leads to a memory leak in the system. If an attacker sends a large number of requests with malformed headers, it causes an OutOfMemoryException, resulting in the server completely shutting down.

In simple terms, Tomcat was unable to properly filter or discard certain incorrectly formatted headers. As a result, this seemingly minor vulnerability can escalate to the point of halting server operations.

The affected versions include:

  • Apache Tomcat from 9.0.76 to 9.0.102
  • Apache Tomcat from 10.1.10 to 10.1.39
  • Apache Tomcat from 11.0.0-M2 to 11.0.5

The Apache Software Foundation has released updated versions to address this issue:

  • 11.0.6 or later
  • 10.1.40 or later
  • 9.0.104 or later

It’s worth noting that while version 9.0.103 includes the fix for this issue, it was not officially released and is not recommended for use.

This vulnerability enables attackers to crash a server without authentication by sending thousands of malformed HTTP requests. This can cause temporary or complete downtime for numerous web applications.

This incident serves as a stark reminder that even minor, seemingly insignificant interfaces in application servers can lead to serious risks. In large-scale systems like Tomcat, proper memory management and request sanitization are absolutely critical.

Organizations, developers, and system administrators must immediately check the Apache Tomcat versions in use and upgrade to the updated versions if necessary. This will prevent potential DoS attacks and ensure continuous server operation.

Security is not just about fixing vulnerabilities; it is an ongoing process that involves proactively identifying and addressing them as quickly as possible.