.webp?w=696&resize=696,0&ssl=1 "Apache Tomcat CVE-2025-31650 Denial-of-Service Vulnerability")
A new proof-of-concept exploit targeting CVE-2025-31650 in Apache Tomcat versions 10.1.10-10.1.39 has been publicly released, demonstrating a critical HTTP/2 priority header vulnerability that enables memory exhaustion attacks.
The exploit leverages malformed header injection to trigger catastrophic memory leaks in Tomcat’s HTTP/2 implementation.
Exploit Mechanism and Technical Analysis
The Python-based tool (TomcatKiller.py) uses asynchronous requests with intentionally corrupted HTTP/2 priority parameters:
pythoninvalid_priorities = [
"u=-1, q=2",
"u=4294967295, q=-1",
"u=-2147483648, q=1.5",
"u=0, q=invalid",
# 17 additional malformed variants
]
Key attack components:
- Concurrency Engine: Uses
httpx.AsyncClientwith 300 parallel tasks (configurable) sending 100,000 requests each - Header Bombardment: Randomly selects invalid priority combinations to bypass parsing safeguards
- Memory Stress Test: Forces JVM heap allocation through recursive priority queue buildup
The attack manifests as OutOfMemoryError in Tomcat logs:
textSEVERE [http-nio-8443-exec-7] org.apache.coyote.http2.Http2Parser.upgrade Http2Parser
java.lang.OutOfMemoryError: Java heap space
Impact and Mitigation Strategies
Affected Systems:
- Tomcat 10.1.x deployments with HTTP/2 enabled
- Reverse proxies forwarding HTTP/2 traffic to Tomcat backends
Immediate Mitigations:
- Apply Tomcat’s official patch (10.1.40+) when available
- HTTP/2 Disable Workaround (server.xml):
xml<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"
enabled="false" />
</Connector>
- Implement WAF rules to block malformed priority headers:
bashSecRule REQUEST_HEADERS:priority "@rx (?:u\s*=\s*-|q\s*=\s*[^0-1\.])" \
"id:1005,log,deny,msg:'Invalid HTTP/2 Priority Header'"
Detection Methods:
- Monitor JVM memory usage:
jstat -gcutil <tomcat_pid> 5s - Network traffic analysis using Wireshark filter:
http2.headers.priority.urgency == 4294967295 || http2.headers.priority.weight < 0
This vulnerability highlights critical risks in HTTP/2 implementation edge cases. Enterprises should conduct immediate memory stress tests on Tomcat instances and consider temporary HTTP/1.1 rollbacks for high-value targets until patched versions become available.
The PoC’s release underscores the urgency for proactive header validation and protocol implementation hardening in web servers.
.webp?resize=1600,900&ssl=1&description=A new proof-of-concept exploit targeting CVE-2025-31650 in Apache Tomcat versions 10.1.10-10.1.39 has been publicly released, demonstrating.){kind=link}