Apache Tomcat Vulnerability CVE-2025-31650

API Gateway 11. x

A flaw was found in Apache Tomcat. This vulnerability allows an application-level denial of service (DoS), causing it to become unresponsive or slow via maliciously crafted HTTP/2 prioritization headers. It performs an incomplete cleanup of failed requests, which triggers a memory leak.

CVE-2025-31650 exclusively impacts HTTP/2 (H2) and HTTP/2 Cleartext (H2C) and in the Gateway, Tomcat is not utilized to handle HTTP/2 traffic, ensuring this vulnerability does not pose a risk in our environment.