CVE-2025-31650 is a high-severity vulnerability affecting multiple versions of Apache Tomcat, a widely used open-source Java Servlet Container developed by the Apache Software Foundation. The vulnerability is classified under CWE-459: Incomplete Cleanup, and arises due to improper input validation related to HTTP priority headers. Specifically, when Apache Tomcat processes certain invalid HTTP priority headers, the error handling mechanism fails to fully clean up resources associated with the failed request. This incomplete cleanup leads to a memory leak within the server process. If an attacker sends a large volume of such malformed requests, the accumulated memory leak can exhaust the Java Virtual Machine (JVM) heap space, triggering an OutOfMemoryException. This results in a denial of service (DoS) condition, where the Tomcat server becomes unresponsive or crashes, disrupting availability of hosted web applications. The affected versions include Apache Tomcat 9.0.76 through 9.0.102, 10.1.10 through 10.1.39, and 11.0.0-M2 through 11.0.5. Additionally, end-of-life versions 8.5.90 through 8.5.100 are also vulnerable. The vulnerability does not require authentication or user interaction, and can be exploited remotely over the network by sending crafted HTTP requests with invalid priority headers. The CVSS v3.1 base score is 7.5 (High), reflecting the network attack vector, low attack complexity, no privileges or user interaction required, and impact limited to availability (no confidentiality or integrity impact). The Apache Software Foundation has addressed this issue in Apache Tomcat versions 9.0.104, 10.1.40, and 11.0.6. Users are strongly advised to upgrade to these fixed versions to mitigate the risk. No known exploits are reported in the wild at the time of publication, but the straightforward nature of the attack and the criticality of availability for web services make this a significant threat. In summary, CVE-2025-31650 is a remotely exploitable denial of service vulnerability caused by incomplete cleanup of failed HTTP requests with invalid priority headers in Apache Tomcat, affecting multiple actively maintained versions and some EOL versions, with a high potential impact on service availability.

For European organizations, the impact of CVE-2025-31650 can be substantial, particularly for those relying on Apache Tomcat to host critical web applications, internal portals, or APIs. The vulnerability enables an attacker to cause a denial of service by exhausting server memory, leading to service outages. This can disrupt business operations, customer-facing services, and internal workflows. Sectors such as finance, healthcare, government, and e-commerce, which often depend on Tomcat-based applications, may experience operational downtime, reputational damage, and potential regulatory scrutiny due to service unavailability. Given the vulnerability does not compromise confidentiality or integrity, the primary concern is availability, which is crucial for compliance with EU regulations like the NIS Directive that mandate operational continuity for essential services. Additionally, the ease of exploitation without authentication increases the risk of opportunistic attacks or automated scanning campaigns targeting vulnerable Tomcat instances. Organizations with public-facing Tomcat servers are particularly at risk. The lack of known exploits in the wild currently provides a window for proactive mitigation, but the high severity score indicates that attackers could develop exploits rapidly.

To mitigate CVE-2025-31650 effectively, European organizations should: 1. Upgrade Apache Tomcat to the fixed versions: 9.0.104, 10.1.40, or 11.0.6 as soon as possible. This is the most reliable and direct mitigation. 2. Implement Web Application Firewalls (WAFs) or network-level filtering to detect and block HTTP requests with malformed or suspicious priority headers, reducing exposure to exploit attempts. 3. Monitor server logs and JVM metrics for unusual memory usage patterns or frequent OutOfMemoryExceptions that could indicate attempted exploitation. 4. Employ rate limiting on HTTP requests to prevent high volumes of malformed requests from overwhelming the server. 5. Conduct regular vulnerability scanning and penetration testing focused on HTTP header validation to identify vulnerable Tomcat instances. 6. For organizations unable to upgrade immediately, consider isolating vulnerable Tomcat servers behind reverse proxies that can sanitize HTTP headers or reject invalid priority headers. 7. Maintain an incident response plan to quickly address potential DoS incidents caused by this vulnerability. These steps go beyond generic advice by emphasizing specific controls around HTTP header validation, monitoring JVM health, and network-level protections tailored to the nature of this vulnerability.