VulnerableCode Package Details - pkg:deb/debian/tomcat10@10.1.34-0%2Bdeb12u2

Search for packages

Vulnerability	Summary	Fixed by
VCID-856z-sjqh-qfbz Aliases: CVE-2025-31651 GHSA-ff77-26x5-69cr	Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced security constraints, those constraints could be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.	10.1.40-1~bpo12+1 Affected by 0 other vulnerabilities.
VCID-wbae-761d-qqeq Aliases: CVE-2025-31650 GHSA-3p2h-wqq4-wf4h	Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.	10.1.40-1~bpo12+1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-856z-sjqh-qfbz
Aliases:
CVE-2025-31651
GHSA-ff77-26x5-69cr

Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced security constraints, those constraints could be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.

10.1.40-1~bpo12+1
Affected by 0 other vulnerabilities.

VCID-wbae-761d-qqeq
Aliases:
CVE-2025-31650
GHSA-3p2h-wqq4-wf4h

Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.

10.1.40-1~bpo12+1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-08-01T13:06:22.397163+00:00	Debian Importer	Affected by	VCID-wbae-761d-qqeq	https://security-tracker.debian.org/tracker/data/json	37.0.0
2025-08-01T12:48:59.471608+00:00	Debian Importer	Affected by	VCID-856z-sjqh-qfbz	https://security-tracker.debian.org/tracker/data/json	37.0.0

2025-08-01T13:06:22.397163+00:00

Debian Importer

Affected by

VCID-wbae-761d-qqeq

https://security-tracker.debian.org/tracker/data/json

37.0.0

2025-08-01T12:48:59.471608+00:00

Debian Importer

Affected by

VCID-856z-sjqh-qfbz

https://security-tracker.debian.org/tracker/data/json

37.0.0

Next non-vulnerable version	10.1.40-1~bpo12+1
Latest non-vulnerable version	10.1.40-1~bpo12+1
Risk	10.0