EUVD-2025-18406
GHSA-wc4r-xq3c-5cf3
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4Description
Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
Analysis
CVE-2025-49125 is an authentication bypass vulnerability in Apache Tomcat affecting versions 8.5.0-8.5.100, 9.0.0-9.0.105, 10.1.0-10.1.41, and 11.0.0-11.0.7. The vulnerability allows unauthenticated remote attackers to access PreResources or PostResources mounted outside the web application root via alternate path traversal, bypassing security constraints configured for the intended resource path. With a CVSS score of 7.5 and high confidentiality impact, this represents a critical authentication mechanism failure that requires immediate patching.
Technical Context
Apache Tomcat's resource mounting feature (PreResources and PostResources) is used to serve static or dynamic content from locations outside the primary web application directory. When these resources are mounted at non-root paths, Tomcat's security constraint enforcement relies on path-based access control. The vulnerability stems from CWE-288 (Authentication Using an Alternate Path or Channel), where insufficient validation of resource path normalization allows attackers to construct requests that access protected resources through alternate URL paths that bypass the configured security constraints. The root cause involves improper canonicalization of request paths before applying security filters and authentication checks, enabling path traversal techniques to circumvent the intended protection mechanisms.
Affected Products
Apache Tomcat versions: 11.0.0-M1 through 11.0.7, 10.1.0-M1 through 10.1.41, 9.0.0-M1 through 9.0.105, and EOL version 8.5.0 through 8.5.100. CPE identifiers affected: cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* (all versions within the specified ranges). The vulnerability is specific to Tomcat installations utilizing PreResources or PostResources configuration directives mounted at paths other than the application root. All platforms running these affected versions (Windows, Linux, macOS, etc.) are equally vulnerable. Organizations should inventory all Tomcat deployments and identify those using PreResources/PostResources mounting.
Remediation
Immediate actions: (1) Upgrade to Apache Tomcat 11.0.8, 10.1.42, or 9.0.106 or later versions which contain the fix for path canonicalization in resource mounting. (2) For EOL version 8.5.x, upgrade to a supported version as no patch will be provided for unsupported branches. (3) Interim mitigation (if patching cannot be immediately completed): disable PreResources and PostResources configurations if not critical to operations, or restrict access to these resource paths through external firewall/reverse proxy rules that enforce additional authentication before Tomcat processing. (4) Review and strengthen security constraints in web.xml for any resources served through alternate paths. (5) Implement request logging and monitoring to detect exploitation attempts targeting unusual resource paths. Patch availability: Vendor patches are available as of the CVE publication date for versions 9.0.106, 10.1.42, and 11.0.8 from the Apache Tomcat project repository.
Priority Score
Vendor Status
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| jammy | DNE | - |
| noble | needed | - |
| upstream | released | 10.1.42 |
| plucky | ignored | end of life, was needed |
| oracular | ignored | end of life, was needs-triage |
| questing | needed | - |
| Release | Status | Version |
|---|---|---|
| jammy | DNE | - |
| noble | DNE | - |
| oracular | DNE | - |
| plucky | DNE | - |
| upstream | released | 11.0.8 |
| questing | needed | - |
| Release | Status | Version |
|---|---|---|
| noble | not-affected | 9.0.70-2ubuntu0.1 |
| oracular | not-affected | - |
| plucky | not-affected | - |
| upstream | released | 9.0.70-2 |
| bionic | needed | - |
| focal | needed | - |
| jammy | needed | - |
| questing | not-affected | - |
Debian
Bug #1108115| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bookworm | fixed | 10.1.52-1~deb12u1 | - |
| bookworm (security) | fixed | 10.1.52-1~deb12u1 | - |
| trixie (security), trixie | fixed | 10.1.52-1~deb13u1 | - |
| forky, sid | fixed | 10.1.52-1 | - |
| trixie | fixed | 10.1.52-1~deb13u1 | - |
| (unstable) | fixed | 10.1.46-1 | - |
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| trixie (security), trixie | fixed | 11.0.15-1~deb13u1 | - |
| forky, sid | fixed | 11.0.18-1 | - |
| trixie | fixed | 11.0.15-1~deb13u1 | - |
| (unstable) | fixed | 11.0.11-1 | - |
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | fixed | 9.0.107-0+deb11u1 | - |
| bullseye (security) | fixed | 9.0.107-0+deb11u2 | - |
| bookworm | fixed | 9.0.70-2 | - |
| trixie | fixed | 9.0.95-1 | - |
| forky, sid | fixed | 9.0.115-1 | - |
| (unstable) | fixed | 9.0.70-2 | - |
Share
External POC / Exploit Code
Leaving vuln.today