CVE-2025-31650

HIGH

Apache Tomcat 9.0.76-9.0.102, 10.1.10-10.1.39, 11.0.0-M2-11.0.5 - Denial of Service via HTTP Priority Header Memory Leak

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 7 public exploits for CVE-2025-31650. PoCs published by Abdualhadi khalifa, absholi7ly, tunahantekeoglu.

AI-analyzed exploit summary This exploit targets a memory leak in Apache Tomcat via invalid HTTP/2 priority headers, causing a Denial of Service (DoS). It sends malformed priority headers to trigger excessive memory consumption.

Description

Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.90 though 8.5.100. Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.

Exploits (7)

exploitdb WORKING POC
by Abdualhadi khalifa · pythonremotemultiple
https://www.exploit-db.com/exploits/52318

This exploit targets a memory leak in Apache Tomcat via invalid HTTP/2 priority headers, causing a Denial of Service (DoS). It sends malformed priority headers to trigger excessive memory consumption.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Apache Tomcat 10.1.10 to 10.1.39
No auth needed
Prerequisites: HTTP/2 support on the target server · Vulnerable Tomcat version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 18 stars
by absholi7ly · poc
https://github.com/absholi7ly/TomcatKiller-CVE-2025-31650

This PoC exploits CVE-2025-31650, a memory leak vulnerability in Apache Tomcat (10.1.10-10.1.39) by sending crafted HTTP/2 requests with invalid priority headers to trigger a DoS condition.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Apache Tomcat 10.1.10 to 10.1.39
No auth needed
Prerequisites: HTTP/2 support on target · Network access to target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by tunahantekeoglu · poc
https://github.com/tunahantekeoglu/CVE-2025-31650

This PoC exploits CVE-2025-31650, a memory exhaustion vulnerability in Apache Tomcat, by sending malformed HTTP/2 priority headers to trigger a DoS condition. The script includes HTTP/2 support verification and async-based request flooding.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Apache Tomcat 9.0.76–9.0.102, 10.1.10–10.1.39, 11.0.0-M2–11.0.5
No auth needed
Prerequisites: HTTP/2 support on target · Network access to target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by B1gN0Se · poc
https://github.com/B1gN0Se/Tomcat-CVE-2025-31650

This PoC exploits CVE-2025-31650, a memory exhaustion vulnerability in Apache Tomcat, by sending malformed HTTP/2 priority headers to trigger a DoS condition. The script includes HTTP/2 support verification and scalable async-based attack capabilities.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Apache Tomcat 9.0.76-9.0.102, 10.1.10-10.1.39, 11.0.0-M2-11.0.5
No auth needed
Prerequisites: HTTP/2 support on target · Network access to target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by obscura-cert · poc
https://github.com/obscura-cert/CVE-2025-31650

This PoC demonstrates a Denial of Service (DoS) attack against Apache Tomcat 10.1.10 to 10.1.39 by flooding the server with malformed HTTP/2 priority headers. It uses asynchronous requests to overwhelm the target and includes real-time monitoring.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Apache Tomcat 10.1.10 to 10.1.39
No auth needed
Prerequisites: Target server running vulnerable Apache Tomcat version · HTTP/2 support on the target server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by assad12341 · poc
https://github.com/assad12341/Dos-exploit-

This is a functional DoS exploit for CVE-2025-31650 targeting Apache Tomcat 10.1.10-10.1.39 via malformed HTTP/2 priority headers. It uses async HTTP/2 requests to trigger memory leaks and crash the server.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Apache Tomcat 10.1.10-10.1.39
No auth needed
Prerequisites: HTTP/2 support on target · Network access to target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER
by sattarbug · poc
https://github.com/sattarbug/Analysis-of-TomcatKiller---CVE-2025-31650-Exploit-Tool

This repository contains a Python-based scanner for detecting CVE-2025-31650, an HTTP/2 priority vulnerability in Apache Tomcat. It uses Shodan for target discovery and httpx for HTTP/2 vulnerability testing.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Apache Tomcat (versions affected by CVE-2025-31650)
No auth needed
Prerequisites: Shodan API key · Python 3.x · httpx[http2] library
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 7.5
EPSS 0.2025
EPSS Percentile 95.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-459
Status published
Products (4)
apache/tomcat 11.0.0 milestone10 (24 CPE variants)
apache/tomcat 9.0.76 - 9.0.104
org.apache.tomcat/tomcat-coyote 9.0.76 - 9.0.104Maven
org.apache.tomcat.embed/tomcat-embed-core 9.0.76 - 9.0.104Maven
Published Apr 28, 2025
Tracked Since Feb 18, 2026