Skip to main content

Tomcat EUVDEUVD-2025-18406

| CVE-2025-49125 HIGH
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2025-06-16 security@apache.org GHSA-wc4r-xq3c-5cf3
High
Disputed · 7.5 NVD
Share

Severity by source

Sources disagree (Low–High)
NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Ubuntu
MEDIUM
qualitative
SUSE
HIGH
qualitative
Red Hat
3.7 LOW
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 14, 2026 - 21:59 euvd
EUVD-2025-18406
Analysis Generated
Mar 14, 2026 - 21:59 vuln.today
CVE Published
Jun 16, 2025 - 15:15 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 2 maven packages depend on org.apache.tomcat.embed:tomcat-embed-core (2 direct, 0 indirect)
  • 2 maven packages depend on org.apache.tomcat:tomcat-catalina (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 11.0.0-M1 and other introduced versions.

DescriptionCVE.org

Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat.  When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected.

Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

AnalysisAI

CVE-2025-49125 is an authentication bypass vulnerability in Apache Tomcat affecting versions 8.5.0-8.5.100, 9.0.0-9.0.105, 10.1.0-10.1.41, and 11.0.0-11.0.7. The vulnerability allows unauthenticated remote attackers to access PreResources or PostResources mounted outside the web application root via alternate path traversal, bypassing security constraints configured for the intended resource path. With a CVSS score of 7.5 and high confidentiality impact, this represents a critical authentication mechanism failure that requires immediate patching.

Technical ContextAI

Apache Tomcat's resource mounting feature (PreResources and PostResources) is used to serve static or dynamic content from locations outside the primary web application directory. When these resources are mounted at non-root paths, Tomcat's security constraint enforcement relies on path-based access control. The vulnerability stems from CWE-288 (Authentication Using an Alternate Path or Channel), where insufficient validation of resource path normalization allows attackers to construct requests that access protected resources through alternate URL paths that bypass the configured security constraints. The root cause involves improper canonicalization of request paths before applying security filters and authentication checks, enabling path traversal techniques to circumvent the intended protection mechanisms.

RemediationAI

Immediate actions: (1) Upgrade to Apache Tomcat 11.0.8, 10.1.42, or 9.0.106 or later versions which contain the fix for path canonicalization in resource mounting. (2) For EOL version 8.5.x, upgrade to a supported version as no patch will be provided for unsupported branches. (3) Interim mitigation (if patching cannot be immediately completed): disable PreResources and PostResources configurations if not critical to operations, or restrict access to these resource paths through external firewall/reverse proxy rules that enforce additional authentication before Tomcat processing. (4) Review and strengthen security constraints in web.xml for any resources served through alternate paths. (5) Implement request logging and monitoring to detect exploitation attempts targeting unusual resource paths. Patch availability: Vendor patches are available as of the CVE publication date for versions 9.0.106, 10.1.42, and 11.0.8 from the Apache Tomcat project repository.

More in Tomcat

View all
CVE-2017-12617 HIGH POC
8.1 Oct 04

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTT

CVE-2016-8735 CRITICAL POC
9.8 Apr 06

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8

CVE-2017-12615 HIGH POC
8.1 Sep 19

When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. Rated high severity (CVSS 8.1), this

CVE-2014-0050 HIGH POC
7.5 Apr 01

MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products,

CVE-2017-12616 HIGH
7.5 Sep 19

When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80 it was possible to bypass security constraints and/or

CVE-2014-0227 MEDIUM
6.4 Feb 16

java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat 6.x before 6.0.42, 7.x before 7.0.55, and

CVE-2013-5528 MEDIUM POC
4.0 Oct 11

Directory traversal vulnerability in the Tomcat administrative web interface in Cisco Unified Communications Manager all

CVE-2016-6808 CRITICAL POC
9.8 Apr 12

Buffer overflow in Apache Tomcat Connectors (mod_jk) before 1.2.42. Rated critical severity (CVSS 9.8), this vulnerabili

CVE-2016-1240 HIGH POC
7.8 Oct 03

The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and tomcat8 package before 8.0.14-1+deb8u3 on Debia

CVE-2016-5425 HIGH POC
7.8 Oct 13

The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distribu

CVE-2022-22965 CRITICAL POC
9.8 Apr 01

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data b

CVE-2025-31650 HIGH POC
7.5 Apr 28

Improper Input Validation vulnerability in Apache Tomcat. Rated high severity (CVSS 7.5), this vulnerability is remotely

Vendor StatusVendor

Ubuntu

Priority: Medium
tomcat10
Release Status Version
jammy DNE -
noble needed -
upstream released 10.1.42
plucky ignored end of life, was needed
oracular ignored end of life, was needs-triage
questing needed -
tomcat11
Release Status Version
jammy DNE -
noble DNE -
oracular DNE -
plucky DNE -
upstream released 11.0.8
questing needed -
tomcat9
Release Status Version
noble not-affected 9.0.70-2ubuntu0.1
oracular not-affected -
plucky not-affected -
upstream released 9.0.70-2
bionic needed -
focal needed -
jammy needed -
questing not-affected -

Debian

Bug #1108115
tomcat10
Release Status Fixed Version Urgency
bookworm fixed 10.1.52-1~deb12u1 -
bookworm (security) fixed 10.1.52-1~deb12u1 -
trixie (security), trixie fixed 10.1.52-1~deb13u1 -
forky, sid fixed 10.1.52-1 -
trixie fixed 10.1.52-1~deb13u1 -
(unstable) fixed 10.1.46-1 -
tomcat11
Release Status Fixed Version Urgency
trixie (security), trixie fixed 11.0.15-1~deb13u1 -
forky, sid fixed 11.0.18-1 -
trixie fixed 11.0.15-1~deb13u1 -
(unstable) fixed 11.0.11-1 -
tomcat9
Release Status Fixed Version Urgency
bullseye fixed 9.0.107-0+deb11u1 -
bullseye (security) fixed 9.0.107-0+deb11u2 -
bookworm fixed 9.0.70-2 -
trixie fixed 9.0.95-1 -
forky, sid fixed 9.0.115-1 -
(unstable) fixed 9.0.70-2 -

SUSE

Severity: High
Product Status
Container suse/manager/5.0/x86_64/server:5.0.5.1.7.33.2 Container suse/multi-linux-manager/5.1/x86_64/server:5.1.1.8.7.1 Image SLES15-SP4-Manager-Server-4-3-BYOS Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2 Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE Affected
SUSE Enterprise Storage 7.1 Fixed
SUSE Liberty Linux 8 Fixed
SUSE Liberty Linux 9 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS Fixed

Share

EUVD-2025-18406 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy