Skip to main content

Tomcat CVE-2025-49124

| EUVDEUVD-2025-18410 HIGH
Untrusted Search Path (CWE-426)
2025-06-16 security@apache.org GHSA-42wg-hm62-jcwg
8.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.4 HIGH
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Ubuntu
MEDIUM
qualitative
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 14, 2026 - 21:59 euvd
EUVD-2025-18410
Analysis Generated
Mar 14, 2026 - 21:59 vuln.today
CVE Published
Jun 16, 2025 - 15:15 nvd
HIGH 8.4

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 2 maven packages depend on org.apache.tomcat.embed:tomcat-embed-core (2 direct, 0 indirect)
  • 2 maven packages depend on org.apache.tomcat:tomcat-catalina (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 11.0.0-M1 and other introduced versions.

DescriptionCVE.org

Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100 and 7.0.95 through 7.0.109. Other EOL versions may also be affected.

Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

AnalysisAI

A security vulnerability in Apache Tomcat installer for Windows (CVSS 8.4). High severity vulnerability requiring prompt remediation.

Technical ContextAI

Vulnerability type not specified by vendor. CVSS 8.4 indicates high severity. Affects Apache Tomcat installer for Windows.

RemediationAI

Monitor vendor channels for patch availability.

More in Tomcat

View all
CVE-2017-12617 HIGH POC
8.1 Oct 04

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTT

CVE-2016-8735 CRITICAL POC
9.8 Apr 06

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8

CVE-2017-12615 HIGH POC
8.1 Sep 19

When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. Rated high severity (CVSS 8.1), this

CVE-2014-0050 HIGH POC
7.5 Apr 01

MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products,

CVE-2017-12616 HIGH
7.5 Sep 19

When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80 it was possible to bypass security constraints and/or

CVE-2014-0227 MEDIUM
6.4 Feb 16

java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat 6.x before 6.0.42, 7.x before 7.0.55, and

CVE-2013-5528 MEDIUM POC
4.0 Oct 11

Directory traversal vulnerability in the Tomcat administrative web interface in Cisco Unified Communications Manager all

CVE-2016-6808 CRITICAL POC
9.8 Apr 12

Buffer overflow in Apache Tomcat Connectors (mod_jk) before 1.2.42. Rated critical severity (CVSS 9.8), this vulnerabili

CVE-2016-1240 HIGH POC
7.8 Oct 03

The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and tomcat8 package before 8.0.14-1+deb8u3 on Debia

CVE-2016-5425 HIGH POC
7.8 Oct 13

The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distribu

CVE-2022-22965 CRITICAL POC
9.8 Apr 01

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data b

CVE-2025-31650 HIGH POC
7.5 Apr 28

Improper Input Validation vulnerability in Apache Tomcat. Rated high severity (CVSS 7.5), this vulnerability is remotely

Vendor StatusVendor

Ubuntu

Priority: Medium
tomcat10
Release Status Version
jammy DNE -
upstream not-affected debian: Windows-specific
oracular ignored end of life, was needs-triage
noble not-affected Windows-specific
plucky not-affected Windows-specific
tomcat11
Release Status Version
jammy DNE -
noble DNE -
oracular DNE -
plucky DNE -
upstream not-affected debian: Windows-specific
tomcat9
Release Status Version
upstream not-affected debian: Windows-specific
oracular ignored end of life, was needs-triage
bionic not-affected Windows-specific
focal not-affected Windows-specific
jammy not-affected Windows-specific
noble not-affected Windows-specific
plucky not-affected Windows-specific

Debian

tomcat10
Release Status Fixed Version Urgency
bookworm fixed 10.1.34-0+deb12u2 -
bookworm (security) fixed 10.1.52-1~deb12u1 -
trixie (security), trixie fixed 10.1.52-1~deb13u1 -
forky, sid fixed 10.1.52-1 -
(unstable) not-affected - -
tomcat11
Release Status Fixed Version Urgency
trixie (security), trixie fixed 11.0.15-1~deb13u1 -
forky, sid fixed 11.0.18-1 -
(unstable) not-affected - -
tomcat9
Release Status Fixed Version Urgency
bullseye fixed 9.0.43-2~deb11u10 -
bullseye (security) fixed 9.0.107-0+deb11u2 -
bookworm fixed 9.0.70-2 -
trixie fixed 9.0.95-1 -
forky, sid fixed 9.0.115-1 -
(unstable) not-affected - -

SUSE

Severity: High
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Web and Scripting 15 SP7 Fixed
SUSE Linux Enterprise Module for Web and Scripting 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed

Share

CVE-2025-49124 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy