CVE-2025-31650 is a vulnerability classified under CWE-459 (Incomplete Cleanup) found in Apache Tomcat, a widely used Java-based web server and servlet container. The flaw stems from improper input validation of HTTP priority headers, which are used to indicate the priority of HTTP/2 requests. When Tomcat encounters certain invalid priority headers, it fails to properly clean up resources allocated for the failed request, causing a memory leak. Over time, if an attacker sends a large volume of such malformed requests, the server's memory consumption increases until it triggers an OutOfMemoryException, causing the server to crash or become unresponsive, resulting in a denial of service (DoS). This vulnerability affects Apache Tomcat versions 9.0.76 through 9.0.102, 10.1.10 through 10.1.39, and 11.0.0-M2 through 11.0.5, as well as end-of-life versions 8.5.90 through 8.5.100. The issue does not require any privileges or user interaction, and the attack vector is network-based (remote). The CVSS v3.1 base score is 7.5, reflecting high severity due to the ease of exploitation and impact on availability. No known exploits have been reported in the wild at the time of publication. The Apache Software Foundation has released patched versions 9.0.104, 10.1.40, and 11.0.6 to address this issue.

For European organizations, this vulnerability poses a significant risk to the availability of web services relying on affected Apache Tomcat versions. Many enterprises, government agencies, and service providers in Europe use Apache Tomcat as part of their web infrastructure. A successful exploitation could lead to service outages, disrupting business operations, customer access, and critical online services. This is particularly impactful for sectors such as finance, healthcare, public administration, and e-commerce, where uptime and service reliability are critical. Additionally, denial of service incidents can cause reputational damage and potential regulatory scrutiny under frameworks like GDPR if service disruptions affect data availability or processing. The vulnerability does not directly compromise confidentiality or integrity but can be leveraged as part of a broader attack chain to cause operational disruption.

European organizations should prioritize upgrading affected Apache Tomcat instances to the patched versions 9.0.104, 10.1.40, or 11.0.6 as soon as possible. In environments where immediate upgrade is not feasible, implementing network-level protections such as rate limiting and filtering malformed HTTP/2 priority headers can help mitigate the risk of memory exhaustion. Monitoring server memory usage and setting up alerts for abnormal consumption patterns can provide early warning signs of exploitation attempts. Employing Web Application Firewalls (WAFs) with updated signatures to detect and block suspicious HTTP/2 traffic is recommended. Additionally, organizations should review their incident response plans to include scenarios involving denial of service via resource exhaustion. Regularly auditing and inventorying Tomcat versions across the infrastructure will ensure no vulnerable instances remain unpatched.