CVE-2025-31650 

Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.

ESXi

ESXi doesn't contain Tomcat. Not impacted.

vCenter

vCenter 7.0 contains Tomcat 8.x, which is end of life. No impact on this version is officially announced by Tomcat.

vCenter 8.0 and 9.0 contains Tomcat 9.x. This will be fixed in next release after 8.0U3e and 9.0GA.