The flaw, which carries a high severity rating, could allow remote attackers to trigger a denial-of-service (DoS) condition, potentially disrupting business operations for organizations relying on affected Tomcat deployments.
The vulnerability stems from improper input validation and incorrect error handling when processing certain malformed HTTP priority headers.
When Tomcat receives an invalid HTTP priority header, it fails to fully clean up the failed request, resulting in a memory leak.
If an attacker sends a large number of such specially crafted requests, the server’s memory may eventually be exhausted, leading to an OutOfMemoryException and a complete denial of service.
The risk affects the following Tomcat versions:
It is important to note that while Tomcat 9.0.103 contained a fix, it was not officially released due to a failed release vote.
Therefore, users must upgrade to 9.0.104 or later to be protected.
The Apache Software Foundation strongly advises all users of affected versions to upgrade immediately to the latest patched releases:
No alternative workarounds have been suggested, making prompt upgrading essential for organizations to avoid potential service disruptions.
The Apache Tomcat security team discovered the vulnerability.
The issue was publicly disclosed on April 28, 2025, with detailed advisories and recommendations published on the official Tomcat security pages.
| Risk Factor | Description | Severity |
|---|---|---|
| Vulnerability Type | Improper Input Validation, Memory Leak, Denial-of-Service (DoS) | High |
| Attack Vector | Remote (via specially crafted HTTP priority headers) | High |
| Impact | OutOfMemoryException, Service Disruption, Potential Business Downtime | High |
| Affected Versions | Tomcat 11.0.0-M2 to 11.0.5, 10.1.10 to 10.1.39, 9.0.76 to 9.0.102 | High |
| Exploitability | High (requires sending a large number of malformed requests) | High |
| Mitigation | Upgrade to patched versions (11.0.6, 10.1.40, 9.0.104 or later) | Critical |
Organizations using Apache Tomcat are urged to assess their deployments and act swiftly to mitigate the risk.
Failure to do so could leave critical web services vulnerable to disruption from targeted denial-of-service attacks.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
The post Apache Tomcat Flaw Allows Rule Bypass and Triggers Denial-of-Service appeared first on Cyber Security News.
Emily Wood considers herself news savvy. She stays on top of current events and is…
Target’s massive Pokémon collaboration is now available online. The collection, announced back in April, celebrates…
NORTHAMPTON — Light rain and cool temperatures didn’t dampen the spirits at Hampshire Pride, which…
SOUTHAMPTON — Residents took the first step to passing either a $2.5 or $1.9 million Proposition…
SUNDERLAND — In a 430-188 vote, Sunderland voters gave the final approval needed for an…
WILLIAMSBURG — Voters will decide one contested race in Monday’s town election ballot as incumbent…
This website uses cookies.