Recent DoS Vulnerabilities in Apache Tomcat

 

1. CVE-2025-48989 — “MadeYouReset” (HTTP/2 Rapid Reset Bypass)

• What happened?
  On August 6, 2025, Apache Tomcat 9.0.108 was released to address a high‑severity DoS vulnerability—now known as the “MadeYouReset” attack. It exploits weaknesses in HTTP/2 stream reset handling, leading to c crashes by exhausting server memory Indusface+7Apache Tomcat+7The Hacker News+7.

• Key details:
  A more recent report from today, August 14, 2025, confirms the vulnerability (CVE‑2025‑48989) is part of a broader HTTP/2 flaw (CVE‑2025‑8671) that also affects other servers like F5 BIG‑IP and Netty The Hacker News.

• Affected versions:

  • Tomcat 9: from 0‑M1 to 9.0.107

  • Tomcat 10.1: 0‑M1 to 10.1.43

  • Tomcat 11: 0‑M1 to 11.0.9 community.esri.com+9Cybersecurity News+9Apache Tomcat+9.

---

2. CVE-2025-31650 — Malformed HTTP/2 Priority Header Memory Leak

• Issue:
  Improper input validation on malformed HTTP/2 Priority headers causes memory leaks. A burst of such requests can trigger an OutOfMemoryError (DoS) Rapid7+11NVD+11Indusface+11.

• Severity & scope:
  Rated high severity (CVSS 7.5) with low exploit complexity. No authentication is required Recorded Future+10Indusface+10myF5+10.

• Affected versions:

  • Tomcat 9.0.76–9.0.102

  • Tomcat 10.1.10–10.1.39

  • Tomcat 11.0.0‑M2–11.0.5

• Fix available:
  Upgrade to at least 9.0.104, 10.1.40, or 11.0.6 Apache Tomcat+7NVD+7Indusface+7.

---

3. Other DoS-related Vulnerabilities

• CVE‑2025‑52434, CVE‑2025‑52520, CVE‑2025‑53506 (Belgium CCB Advisory)

  • CVE‑2025‑52434: Inadequate input validation with HTTP/2 + APR/native setup allows DoS via crafted requests.

  • CVE‑2025‑52520: File upload limit overflow. Crafted uploads cause DoS.

  • CVE‑2025‑53506: Poor stream resource control under HTTP/2—excessive use leads to resource exhaustion and DoS myF5+5ccb.belgium.be+5Indusface+5.

• Prior vulnerabilities:

  • CVE‑2024‑23672: WebSocket clients keeping connections open, leading to resource exhaustion Rapid7+1.

  • Earlier HTTP/2 DoS fixes: CVE‑2024‑34750, CVE‑2024‑38286, CVE‑2024‑24549, among others Cybersecurity News+8Apache Tomcat+8Indusface+8.

---

Summary Table

CVE ID	What It Does	Vulnerable Versions	Mitigation / Fixed Version
CVE‑2025‑48989 (“MadeYouReset”)	HTTP/2 stream resets causing memory exhaustion	Tomcat 9 ≤ 9.0.107; 10.1 ≤ 10.1.43; 11 ≤ 11.0.9	Upgrade to Tomcat 9.0.108+ Apache Tomcat+2The Hacker News+2Recorded Future+5Cybersecurity News+5Indusface+5
CVE-2025-31650	Malformed Priority headers leak memory → DoS	Tomcat 9.0.76–9.0.102; 10.1.10–10.1.39; 11.0.0-M2–11.0.5	Upgrade to 9.0.104, 10.1.40, or 11.0.6 NVDIndusface
CVE-2025-52434 / 52520 / 53506	HTTP/2 input, upload limits, stream exhaustion → DoS	Not explicitly version bound (applies to vulnerable branches)	Patch per CCB recommendation ccb.belgium.be

---

Your Action Plan

1. Immediately upgrade your Tomcat servers:

   • For HTTP/2 DoS fix: Tomcat 9.0.108 or newer.

   • For Priority header memory leak: Tomcat 9.0.104, 10.1.40, 11.0.6, or newer.

2. Apply additional mitigations while upgrading:

   • Implement rate limiting for suspicious HTTP/2 requests.

   • Deploy a Web Application Firewall (WAF) to catch malformed headers or uploads.

   • Monitor server memory and request patterns vigilantly.

3. Maintain an updated patch cadence, especially for HTTP/2 and file upload modules—many recent DoS vectors exploit these.