CVE-2025-31650 PoC — Apache Tomcat: DoS via malformed HTTP/2 PRIORITY_UPDATE frame

Source

https://github.com/obscura-cert/CVE-2025-31650

Associated Vulnerability

Title:Apache Tomcat: DoS via malformed HTTP/2 PRIORITY_UPDATE frame (CVE-2025-31650)
Description:Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.90 though 8.5.100. Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.

Readme

# Apache Tomcat 10.1.39 - Denial of Service (DoS)

This tool performs a high-volume, asynchronous HTTP/2 request flood using malformed `priority` headers to test the stability of Apache Tomcat servers running version 10.1.10 to 10.1.39.

> ⚠️ This is strictly for **educational and research purposes** only.  
> ❌ The author(s) are **not responsible** for any illegal or unauthorized use.

---

## 🧰 Features

- Sends randomized malformed HTTP/2 `priority` headers
- Multi-threaded async architecture (`httpx`)
- Real-time availability monitoring
- No attribution, CVEs, or tracking metadata
- Simple CLI input, no arguments required

File Snapshot


 [4.0K]  /data/pocs/3d78afce36930088ea9bd57aa2bbd56bd1ca389e
├── [1.0K]  LICENSE
├── [4.2K]  main.py
└── [ 643]  README.md

0 directories, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!