Improper Input Validation Affecting tomcat9-lib package, versions <1:9.0.104-1.amzn2023.0.1


Severity

Recommended
0.0
high
0
10

Based on Amazon Linux security rating.

Threat Intelligence

Exploit Maturity
Proof of Concept
EPSS
66.93% (100th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-AMZN2023-TOMCAT9LIB-10123767
  • published14 May 2025
  • disclosed28 Apr 2025

Introduced: 28 Apr 2025

CVE-2025-31650  (opens in a new tab)
CWE-20  (opens in a new tab)

How to fix?

Upgrade Amazon-Linux:2023 tomcat9-lib to version 1:9.0.104-1.amzn2023.0.1 or higher.
This issue was patched in ALAS2023-2025-964.

NVD Description

Note: Versions mentioned in the description apply only to the upstream tomcat9-lib package and not the tomcat9-lib package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2023 relevant fixed versions and status.

Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service.

This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.90 though 8.5.100.

Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.

CVSS Base Scores

version 3.1