An unbounded memory allocation occurs during handling of WebDAV LOCK and PFIND requests in Apache Tomcat, a classic Allocation of Resources Without Limits or Throttling vulnerability (CWE-770). A hostile WebDAV request can cause the server to allocate excessive memory or perform disk I/O, exhausting resources and producing a denial of service for legitimate users. No confidentiality or integrity compromise is described.

The flaw affects Tomcat 9.0.0.M1 through 9.0.117, 10.1.0.M1 through 10.1.54, and 11.0.0.M1 through 11.0.21. Older, unsupported releases may also be impacted. Administrators should verify the running Tomcat version against these ranges.

Based on the description, it is inferred that an attacker with access to the exposed WebDAV endpoints could trigger the resource exhaustion by sending LOCK or PROPFIND requests. The CVE entry does not specify whether authentication is required or whether the endpoint must be publicly reachable, so the exact exploitation pathway is not explicitly documented. The EPSS score is below 1%, indicating a low probability of exploitation, and the vulnerability is not listed in CISA KEV. The CVSS score of 7.5 indicates a high severity of the denial‑of‑service vulnerability, and the potential impact remains significant for any Tomcat deployment that enables WebDAV and has no preventative measures, making it a high‑risk concern in exposed environments.