EUVD-2025-18406
GHSA-wc4r-xq3c-5cf3
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4Blast Radius
ecosystem impact- 2 maven packages depend on org.apache.tomcat.embed:tomcat-embed-core (2 direct, 0 indirect)
- 2 maven packages depend on org.apache.tomcat:tomcat-catalina (2 direct, 0 indirect)
Ecosystem-wide dependent count for version 11.0.0-M1 and other introduced versions.
DescriptionNVD
Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected.
Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
AnalysisAI
CVE-2025-49125 is an authentication bypass vulnerability in Apache Tomcat affecting versions 8.5.0-8.5.100, 9.0.0-9.0.105, 10.1.0-10.1.41, and 11.0.0-11.0.7. The vulnerability allows unauthenticated remote attackers to access PreResources or PostResources mounted outside the web application root via alternate path traversal, bypassing security constraints configured for the intended resource path. With a CVSS score of 7.5 and high confidentiality impact, this represents a critical authentication mechanism failure that requires immediate patching.
Technical ContextAI
Apache Tomcat's resource mounting feature (PreResources and PostResources) is used to serve static or dynamic content from locations outside the primary web application directory. When these resources are mounted at non-root paths, Tomcat's security constraint enforcement relies on path-based access control. The vulnerability stems from CWE-288 (Authentication Using an Alternate Path or Channel), where insufficient validation of resource path normalization allows attackers to construct requests that access protected resources through alternate URL paths that bypass the configured security constraints. The root cause involves improper canonicalization of request paths before applying security filters and authentication checks, enabling path traversal techniques to circumvent the intended protection mechanisms.
RemediationAI
Immediate actions: (1) Upgrade to Apache Tomcat 11.0.8, 10.1.42, or 9.0.106 or later versions which contain the fix for path canonicalization in resource mounting. (2) For EOL version 8.5.x, upgrade to a supported version as no patch will be provided for unsupported branches. (3) Interim mitigation (if patching cannot be immediately completed): disable PreResources and PostResources configurations if not critical to operations, or restrict access to these resource paths through external firewall/reverse proxy rules that enforce additional authentication before Tomcat processing. (4) Review and strengthen security constraints in web.xml for any resources served through alternate paths. (5) Implement request logging and monitoring to detect exploitation attempts targeting unusual resource paths. Patch availability: Vendor patches are available as of the CVE publication date for versions 9.0.106, 10.1.42, and 11.0.8 from the Apache Tomcat project repository.
More from same product – last 7 days
Path traversal in Apache Ignite 2.0.0 through 2.17.0 lets authenticated REST API users read arbitrary files on the serve
Command injection in the shell-quote npm package allows attackers who can influence object-token inputs to inject arbitr
Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers
Code execution via Groovy sandbox bypass in Apache Syncope 3.0 through 3.0.16, 4.0 through 4.0.5, and 4.1.0 allows a hig
Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0
Vendor StatusVendor
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| jammy | DNE | - |
| noble | needed | - |
| upstream | released | 10.1.42 |
| plucky | ignored | end of life, was needed |
| oracular | ignored | end of life, was needs-triage |
| questing | needed | - |
| Release | Status | Version |
|---|---|---|
| jammy | DNE | - |
| noble | DNE | - |
| oracular | DNE | - |
| plucky | DNE | - |
| upstream | released | 11.0.8 |
| questing | needed | - |
| Release | Status | Version |
|---|---|---|
| noble | not-affected | 9.0.70-2ubuntu0.1 |
| oracular | not-affected | - |
| plucky | not-affected | - |
| upstream | released | 9.0.70-2 |
| bionic | needed | - |
| focal | needed | - |
| jammy | needed | - |
| questing | not-affected | - |
Debian
Bug #1108115| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bookworm | fixed | 10.1.52-1~deb12u1 | - |
| bookworm (security) | fixed | 10.1.52-1~deb12u1 | - |
| trixie (security), trixie | fixed | 10.1.52-1~deb13u1 | - |
| forky, sid | fixed | 10.1.52-1 | - |
| trixie | fixed | 10.1.52-1~deb13u1 | - |
| (unstable) | fixed | 10.1.46-1 | - |
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| trixie (security), trixie | fixed | 11.0.15-1~deb13u1 | - |
| forky, sid | fixed | 11.0.18-1 | - |
| trixie | fixed | 11.0.15-1~deb13u1 | - |
| (unstable) | fixed | 11.0.11-1 | - |
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | fixed | 9.0.107-0+deb11u1 | - |
| bullseye (security) | fixed | 9.0.107-0+deb11u2 | - |
| bookworm | fixed | 9.0.70-2 | - |
| trixie | fixed | 9.0.95-1 | - |
| forky, sid | fixed | 9.0.115-1 | - |
| (unstable) | fixed | 9.0.70-2 | - |
Share
External POC / Exploit Code
Leaving vuln.today