A newly disclosed vulnerability, CVE-2025-31650, presents a serious remote denial-of-service (DoS) threat to Apache Tomcat servers running versions 10.1.10 through 10.1.39. The flaw lies in how Tomcat handles HTTP/2 priority headers, particularly malformed or extreme parameter values that can bypass standard validation mechanisms.

The vulnerability was exposed on June 5, 2025, by a security researcher, who also released a Python-based proof-of-concept exploit. This exploit uses the httpx library to send asynchronous malformed requests to the target server, leading to memory exhaustion and eventual service failure.

The exploit functions by launching 300 concurrent tasks, each capable of sending up to 100,000 requests using malformed priority headers such as u=-1, q=2, u=4294967295, q=-1, and u=-2147483648, q=1.5. These values are specifically chosen to trigger edge cases in Tomcat's HTTP/2 implementation, where memory is not properly deallocated after processing invalid inputs. Unlike traditional DDoS attacks that consume bandwidth, this vulnerability results in progressive memory leaks, making it harder to mitigate with conventional network defenses. The ultimate impact is a server crash via OutOfMemoryError, causing full application downtime.

The exploit is notable for its sophisticated evasion techniques, including the use of randomized user-agent strings and dynamic HTTP/2 header manipulation, helping it avoid basic detection tools. It also includes real-time server monitoring and attack performance tracking, showing live statistics on success rates, request failures, and server response to allow attackers to fine-tune their attack strategy. Critical to successful exploitation is that the target must support HTTP/2, making protocol validation an initial step in the attack.

To mitigate this vulnerability, affected organizations must immediately upgrade to patched Apache Tomcat versions outside the affected range. In the interim, teams should consider disabling HTTP/2 support on critical systems, though this may affect performance. Network-level defenses should include rate limiting for HTTP/2 requests and monitoring for unusual or malformed priority headers. Additionally, security teams should deploy intrusion detection signatures tailored to this exploit and set up memory usage alerts to detect early signs of exploitation. Failure to act could leave even robust systems vulnerable to sustained, low-bandwidth memory exhaustion attacks.