NOTICE: This version of the NSF Unidata web site (archive.unidata.ucar.edu) is no longer being updated.
Current content can be found at unidata.ucar.edu.

To learn about what's going on, see About the Archive Site.

[thredds] Fwd: [SECURITY] CVE-2025-31650 Apache Tomcat - DoS via invalid HTTP prioritization header

  • To: THREDDS community <thredds@xxxxxxxxxxxxxxxx>
  • Subject: [thredds] Fwd: [SECURITY] CVE-2025-31650 Apache Tomcat - DoS via invalid HTTP prioritization header
  • From: Jennifer Oxelson Ganter <oxelson@xxxxxxxx>
  • Date: Mon, 28 Apr 2025 14:22:03 -0600
Hi all,

A couple of new Tomcat CVEs, including one of high severity, were just
announced.

---------- Forwarded message ---------
From: Mark Thomas <markt@xxxxxxxxxx>
Date: Mon, Apr 28, 2025 at 1:14 PM
Subject: [SECURITY] CVE-2025-31650 Apache Tomcat - DoS via invalid HTTP
prioritization header
To: Tomcat Users List <users@xxxxxxxxxxxxxxxxx>
Cc: <announce@xxxxxxxxxx>, announce@xxxxxxxxxxxxxxxxx <
announce@xxxxxxxxxxxxxxxxx>, Tomcat Developers List <dev@xxxxxxxxxxxxxxxxx>


CVE-2025-31650 Apache Tomcat - DoS via invalid HTTP prioritization header

Severity: High

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 11.0.0-M2 to 11.0.5
Apache Tomcat 10.1.10 to 10.1.39
Apache Tomcat 9.0.76 to 9.0.102

Description:
Incorrect error handling for some invalid HTTP priority headers resulted
in incomplete clean-up of the failed request which created a memory
leak. A large number of such requests could trigger an
OutOfMemoryException resulting in a denial of service.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 11.0.6 or later
- Upgrade to Apache Tomcat 10.1.40 or later
- Upgrade to Apache Tomcat 9.0.104 or later

Note: This issue was fixed in Apache Tomcat 9.0.103 but the release vote
for the 9.0.103 release candidate did not pass. Therefore, although
users must download 9.0.104 to obtain a version that includes a fix for
this issue, version 9.0.103 is not included in the list of affected
versions.

Credit:
The vulnerability was identified by the Tomcat security team.

History:
2025-04-28 Original advisory

References:
[1] https://tomcat.apache.org/security-11.html
[2] https://tomcat.apache.org/security-10.html
[3] https://tomcat.apache.org/security-9.html


-- 
------------------------------------------------------------------------------------
Jennifer Oxelson Ganter                                       NSF Unidata
Software Engineer IV                                          P.O. Box 3000
oxelson@xxxxxxxx                                       Boulder, CO 80307
------------------------------------------------------------------------------------
  • 2025 messages navigation, sorted by:
    1. Thread
    2. Subject
    3. Author
    4. Date
    5. ↑ Table Of Contents
  • Search the thredds archives: