The Apache Software Foundation has disclosed a new security vulnerability affecting multiple versions of Apache Tomcat. Tracked as CVE-2025-46701, the issue allows for a security constraint bypass under specific conditions, though it has been classified as a low severity risk.
CVE-2025-46701
The flaw impacts Apache Tomcat versions:
-
11.0.0-M1 to 11.0.6
-
10.1.0-M1 to 10.1.40
-
9.0.0.M1 to 9.0.104
When Tomcat is running on a case-insensitive file system and security constraints are configured for the pathInfoportion of a URL that maps to the CGI servlet, a specially crafted URL can be used to bypass those constraints. CVE-2025-46701 was responsibly disclosed by Greg K (github.com/gregk4sec)
Recommended Mitigation
To address the vulnerability CVE-2025-46701, users are advised to upgrade to the following fixed versions:
-
Tomcat 11.0.7 or later
-
Tomcat 10.1.41 or later
-
Tomcat 9.0.105 or later
For organizations running affected Tomcat versions in environments with case-insensitive file systems, prompt upgrading is recommended to avoid potential misuse of this security gap.
Source: https://lists.apache.org/thread/xhqqk9w5q45srcdqhogdk04lhdscv30j
Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
