The Apache Software Foundation has released important security updates addressing two vulnerabilities in Apache Tomcat, the popular open-source web server and servlet container. The two vulnerabilities—rated as "High" and "Low" severity respectively—affect multiple versions of the Tomcat server and could potentially impact system security and stability.
CVE-2025-31650: High-Severity DoS Vulnerability
The more serious vulnerability, CVE-2025-31650, stems from incorrect error handling for certain invalid HTTP priority headers. When Tomcat encounters these malformed headers, it fails to properly clean up resources from the failed request, creating a memory leak.
Attackers could exploit this flaw by sending numerous requests with invalid priority headers, eventually triggering an OutOfMemoryException and causing a denial of service (DoS) condition.
This high-severity issue affects:
- Apache Tomcat 11.0.0-M2 through 11.0.5
- Apache Tomcat 10.1.10 through 10.1.39
- Apache Tomcat 9.0.76 through 9.0.102
The Tomcat security team identified the vulnerability during internal code reviews.
CVE-2025-31651: Low-Severity Rewrite Rule Bypass
The second vulnerability, CVE-2025-31651, allows for the potential bypass of certain rewrite rules through specially crafted requests. While rated low severity, this issue could have security implications if the bypassed rewrite rules enforced security constraints.
This vulnerability affects a wider range of versions:
- Apache Tomcat 11.0.0-M1 through 11.0.5
- Apache Tomcat 10.1.0-M1 through 10.1.39
- Apache Tomcat 9.0.0.M1 through 9.0.102
The rewrite rule bypass vulnerability was discovered by COSCO Shipping Lines DIC.
Mitigation and Remediation
Apache recommends that users of affected Tomcat installations apply one of the following mitigations for both vulnerabilities:
- Upgrade to Apache Tomcat 11.0.6 or later
- Upgrade to Apache Tomcat 10.1.40 or later
- Upgrade to Apache Tomcat 9.0.104 or later
Interestingly, both issues were reportedly fixed in Apache Tomcat 9.0.103, but the release candidate for this version did not pass the required vote process. As such, users must download version 9.0.104 to obtain fixes for these vulnerabilities.
System administrators running Tomcat in production environments are encouraged to apply these updates as soon as possible, particularly for internet-facing servers that could be targeted by the DoS vulnerability. Organizations should prioritize patch management for these issues as part of their regular security maintenance procedures.