BIT-tomcat-2025-31651
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in tomcat-embed-core (Maven)
What is BIT-tomcat-2025-31651 About?
This vulnerability in Apache Tomcat allows for the bypass of security constraints due to improper neutralization of escape, meta, or control sequences within rewrite rules. Attackers can craft specific requests to circumvent security measures enforced by these rules, potentially gaining unauthorized access or performing restricted actions. Exploitation is dependent on a specific and unlikely rewrite rule configuration, making it moderately complex.
Affected Software
- org.apache.tomcat:tomcat-catalina
- >8.5.0, <=8.5.100
- >10.1.10, <10.1.40
- >9.0.76, <9.0.104
- >11.0.0-M2, <11.0.6
- org.apache.tomcat.embed:tomcat-embed-core
- >8.5.0, <=8.5.100
- >10.1.10, <10.1.40
- >9.0.76, <9.0.104
- >11.0.0-M2, <11.0.6
Technical Details
The vulnerability stems from improper neutralization of special sequences within Apache Tomcat's rewrite rule processing, affecting versions 11.0.0-M1 through 11.0.5, 10.1.0-M1 through 10.1.39, and 9.0.0.M1 through 9.0.102 (and older EOL versions). For a very specific subset of rewrite rule configurations, a specially crafted HTTP request can exploit how Tomcat interprets URL patterns and escape sequences. This allows the request to bypass intended rewrite rules that enforce security constraints. An attacker can construct a URL that, when processed by the vulnerable rewrite engine, does not match the security-enforcing pattern, thereby allowing access to resources or functionalities that should be restricted. The actual mechanism involves encoding tricks or specific sequence combinations that are misinterpreted by the rewrite engine, leading to an effective security bypass.
What is the Impact of BIT-tomcat-2025-31651?
Successful exploitation may allow attackers to bypass security constraints, leading to unauthorized access to restricted resources or functionalities, and potentially data leakage or unauthorized data modification.
What is the Exploitability of BIT-tomcat-2025-31651?
Exploitation of this vulnerability requires a specially crafted request targeting a vulnerable Apache Tomcat instance. The complexity is moderate due to the need for a specific and 'unlikely' rewrite rule configuration to be present and active. No explicit authentication or privilege is typically required to send the crafted request, making it accessible to unauthenticated remote attackers. This is a remote vulnerability. Special conditions include the specific rewrite rule configuration in Tomcat that is susceptible to the bypass, which is not a common default. The risk factors that increase exploitation likelihood include instances where custom, complex rewrite rules are deployed without thorough testing against various encoding and escape sequence attacks, especially if these rules are relied upon for critical security enforcement.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| gregk4sec | Link | CVE-2025-31651 PoC |
What are the Available Fixes for BIT-tomcat-2025-31651?
About the Fix from Resolved Security
This patch resolves CVE-2025-31651 by changing how the RewriteValve processes URLs, ensuring that special characters like '%', ';', and '?' are consistently percent-encoded before rule processing and using encoders that prevent double encoding of '%'. This fix eliminates ambiguity in rewritten URLs that could previously allow attackers to bypass security filters or access unintended resources by carefully crafting encoded input, closing a vector for security bypass or request smuggling.
Available Upgrade Options
- org.apache.tomcat.embed:tomcat-embed-core
- >9.0.76, <9.0.104 → Upgrade to 9.0.104
- org.apache.tomcat.embed:tomcat-embed-core
- >10.1.10, <10.1.40 → Upgrade to 10.1.40
- org.apache.tomcat.embed:tomcat-embed-core
- >11.0.0-M2, <11.0.6 → Upgrade to 11.0.6
- org.apache.tomcat:tomcat-catalina
- >9.0.76, <9.0.104 → Upgrade to 9.0.104
- org.apache.tomcat:tomcat-catalina
- >10.1.10, <10.1.40 → Upgrade to 10.1.40
- org.apache.tomcat:tomcat-catalina
- >11.0.0-M2, <11.0.6 → Upgrade to 11.0.6
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/apache/tomcat/commit/fbecc915a10c5a3d634c5e2c6ced4ff479ce9953
- https://github.com/apache/tomcat/commit/066bf6b6a15a4e7e0941d4acf096841165b97098
- https://github.com/apache/tomcat
- https://tomcat.apache.org/security-11.html
- http://www.openwall.com/lists/oss-security/2025/04/28/3
- https://osv.dev/vulnerability/GHSA-ff77-26x5-69cr
- https://lists.apache.org/list.html?announce@tomcat.apache.org
- http://www.openwall.com/lists/oss-security/2025/04/28/3
- https://lists.apache.org/list.html?announce@tomcat.apache.org
- https://nvd.nist.gov/vuln/detail/CVE-2025-31651
What are Similar Vulnerabilities to BIT-tomcat-2025-31651?
Similar Vulnerabilities: CVE-2021-42340 , CVE-2021-26702 , CVE-2020-13935 , CVE-2016-0714 , CVE-2015-5345
