Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2025-31650 PoC — Apache Tomcat: DoS via malformed HTTP/2 PRIORITY_UPDATE frame

Source
https://github.com/tunahantekeoglu/CVE-2025-31650
Associated Vulnerability
Title:Apache Tomcat: DoS via malformed HTTP/2 PRIORITY_UPDATE frame (CVE-2025-31650)
Description:Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.90 though 8.5.100. Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.
Description
CVE-2025-31650 PoC
Readme
# TomcatKiller - CVE-2025-31650

🚨 Proof of Concept (PoC) for Apache Tomcat HTTP/2 DoS vulnerability (CVE-2025-31650)

This script triggers a memory exhaustion condition in Apache Tomcat by sending malformed `priority` headers over HTTP/2.

---

## 🎯 Affected Versions

- Apache Tomcat 9.0.76 – 9.0.102
- Apache Tomcat 10.1.10 – 10.1.39
- Apache Tomcat 11.0.0-M2 – 11.0.5

---

## ⚙️ Features

- ✔️ HTTP/2 support verification
- ✔️ `Server` header inspection (detect Tomcat)
- ✔️ `--check-only` mode (non-intrusive)
- ✔️ Async-based scalable exploit with adjustable intensity

---

## 🚀 Usage

### ✅ Check-only (safe detection)
```bash
python3 tomcatkiller.py --target https://example.com:8443 --check-only
```

### 💥 Exploit (DoS)
```bash
python3 tomcatkiller.py --target https://example.com:8443 --exploit --tasks 50 --requests 5000
```

---

## 🧩 Arguments

| Parameter         | Description                                           |
|-------------------|-------------------------------------------------------|
| `--target`        | Full target URL with protocol and port               |
| `--check-only`    | Only test if the server supports HTTP/2 & Tomcat     |
| `--exploit`       | Run the actual DoS attack                            |
| `--tasks`         | Number of async tasks (default: 50)                  |
| `--requests`      | Requests per task (default: 5000)                    |

---

## ⚠️ Disclaimer

This PoC is for educational and authorized security testing **only**.  
Do **not** use it against systems without explicit permission.

---

## 🙏 Credits

- Original concept: [@absholi7ly](https://github.com/absholi7ly/TomcatKiller-CVE-2025-31650)  
- Updated CLI version: [@tunahantekeoglu](https://github.com/tunahantekeoglu)
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →