What is CVE-2025-31650?

CVE-2025-31650 is a vulnerability in Apache Software Foundation Tomcat, classified under Incomplete Cleanup. Published 2025-04-28.

Is CVE-2025-31650 known to be exploited?

13 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Apache Software Foundation Tomcat

CVE-2025-31650

Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests co…

EPSS: 0.664 (99.2th percentile) — read the EPSS interpretation.

Affected products

Apache Software Foundation Tomcat — versions 9.0.76, 10.1.10, 11.0.0-M2

Weakness classification (CWE)

CWE-459 — Incomplete Cleanup

Public proof-of-concept exploits

absholi7ly/TomcatKiller-CVE-2025-31650
tunahantekeoglu/CVE-2025-31650
B1gN0Se/Tomcat-CVE-2025-31650
obscura-cert/CVE-2025-31650
assad12341/Dos-exploit-
assad12341/DOS-exploit
sattarbug/Analysis-of-TomcatKiller---CVE-2025-31650-Exploit-Tool
s-b-repo/rustsploit
plzheheplztrying/cve_
w4zu/Debian_

References

lists.apache.org/thread/j6zzk0y3yym9pzfzkq5vcyxzz0yzh826 (vendor-advisory)

Frequently asked questions

What is CVE-2025-31650?: CVE-2025-31650 is a vulnerability in Apache Software Foundation Tomcat, classified under Incomplete Cleanup. Published 2025-04-28.
Is CVE-2025-31650 known to be exploited?: 13 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.