Ddos 
The Apache Software Foundation has released important security updates to address two vulnerabilities affecting multiple versions of Apache Tomcat, the widely used open-source Java Servlet container. Identified as CVE-2025-31650 and CVE-2025-31651, these issues could potentially lead to denial of service conditions and security rule bypasses if left unpatched.
CVE-2025-31650: Denial of Service via Invalid HTTP Prioritization Header
Rated as High severity, CVE-2025-31650 concerns improper error handling when processing invalid HTTP priority headers. According to the advisory, “incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak.” Over time, a large number of such malformed requests could trigger an OutOfMemoryException, ultimately leading to a denial of service (DoS).
The affected versions include:
- Apache Tomcat 11.0.0-M2 to 11.0.5
- Apache Tomcat 10.1.10 to 10.1.39
- Apache Tomcat 9.0.76 to 9.0.102
To mitigate this risk, users are urged to update to the following versions:
It is worth noting that a fix was initially included in Apache Tomcat 9.0.103, but as the advisory explains, “the release vote for the 9.0.103 release candidate did not pass.” Therefore, users must specifically upgrade to version 9.0.104 or later to obtain the official fix.
CVE-2025-31651: Rewrite Rule Bypass
The second vulnerability, CVE-2025-31651, is considered Low severity but still poses a security risk in certain configurations. It affects a subset of unlikely rewrite rule setups, where “it was possible for a specially crafted request to bypass some rewrite rules.” If those rewrite rules were critical to enforcing security constraints, this flaw could allow attackers to bypass those protections.
Affected versions include:
- Apache Tomcat 11.0.0-M1 to 11.0.5
- Apache Tomcat 10.1.0-M1 to 10.1.39
- Apache Tomcat 9.0.0.M1 to 9.0.102
As with CVE-2025-31650, users should upgrade to:
The advisory similarly notes that while a fix was implemented in version 9.0.103, “the release vote for the 9.0.103 release candidate did not pass.” Users must upgrade directly to 9.0.104 or a later version.
Donate