BIT-tomcat-2025-49125
Authentication Bypass vulnerability in tomcat-embed-core (Maven)
What is BIT-tomcat-2025-49125 About?
This Authentication Bypass Using an Alternate Path or Channel vulnerability affects Apache Tomcat, allowing access to resources via an unexpected path when `PreResources` or `PostResources` are mounted. These resources, typically unprotected, can lead to a security constraint bypass. Exploitation is of moderate complexity, requiring knowledge of the alternate path.
Affected Software
- org.apache.tomcat:tomcat-catalina
- >8.5.0, <=8.5.100
- >11.0.0-M1, <11.0.8
- >9.0.0.M1, <9.0.106
- >10.1.0-M1, <10.1.42
- org.apache.tomcat.embed:tomcat-embed-core
- >8.5.0, <=8.5.100
- >11.0.0-M1, <11.0.8
- >9.0.0.M1, <9.0.106
- >10.1.0-M1, <10.1.42
Technical Details
The vulnerability in Apache Tomcat (versions 11.0.0-M1 through 11.0.7, 10.1.0-M1 through 10.1.41, 9.0.0.M1 through 9.0.105, and older EOL versions) arises when PreResources or PostResources are configured and mounted at specific locations other than the root of the web application. Tomcat's internal handling allows these resources to be accessed through an 'alternate path' that is not the intended or documented access path. Critically, this alternate path is often not covered by the same security constraints or access controls applied to the expected path. Consequently, an attacker who discovers this alternate path can bypass existing authentication and authorization mechanisms, gaining unauthorized access to the resources hosted within PreResources or PostResources.
What is the Impact of BIT-tomcat-2025-49125?
Successful exploitation may allow attackers to bypass security restrictions, gaining unauthorized access to resources, sensitive information, or privileged functionality.
What is the Exploitability of BIT-tomcat-2025-49125?
Exploitation of this vulnerability is of moderate complexity, as it requires an attacker to identify the existence and specific 'alternate path' for PreResources or PostResources. Authentication requirements are nullified for the affected resources, meaning unauthenticated attackers can access them by targeting the alternate path directly. Privilege requirements would typically be bypassed, allowing access to resources that should require higher privileges. This is a remote vulnerability, exploitable by sending specially crafted HTTP requests. Special conditions include the use of PreResources or PostResources in affected Tomcat versions. The likelihood of exploitation increases if the application configures these resources with sensitive content and relies solely on path-based security constraints for their intended access points.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| gregk4sec | Link | Tomcat CVE |
What are the Available Fixes for BIT-tomcat-2025-49125?
About the Fix from Resolved Security
The patch strengthens path checks by replacing naive prefix matching (using startsWith) with a new isPathMounted method that ensures the matched path boundary aligns with directory structure, preventing bypass by paths like /foo/evil matching a mount of /foo. This fixes CVE-2025-49125 by eliminating a path traversal vulnerability that could allow access to unintended resources within a Tomcat web application.
Available Upgrade Options
- org.apache.tomcat.embed:tomcat-embed-core
- >9.0.0.M1, <9.0.106 → Upgrade to 9.0.106
- org.apache.tomcat.embed:tomcat-embed-core
- >10.1.0-M1, <10.1.42 → Upgrade to 10.1.42
- org.apache.tomcat.embed:tomcat-embed-core
- >11.0.0-M1, <11.0.8 → Upgrade to 11.0.8
- org.apache.tomcat:tomcat-catalina
- >9.0.0.M1, <9.0.106 → Upgrade to 9.0.106
- org.apache.tomcat:tomcat-catalina
- >10.1.0-M1, <10.1.42 → Upgrade to 10.1.42
- org.apache.tomcat:tomcat-catalina
- >11.0.0-M1, <11.0.8 → Upgrade to 11.0.8
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-wc4r-xq3c-5cf3
- https://lists.apache.org/thread/m66cytbfrty9k7dc4cg6tl1czhsnbywk
- https://nvd.nist.gov/vuln/detail/CVE-2025-49125
- https://github.com/apache/tomcat
- https://lists.apache.org/thread/m66cytbfrty9k7dc4cg6tl1czhsnbywk
- http://www.openwall.com/lists/oss-security/2025/06/16/2
- https://tomcat.apache.org/security-11.html
- https://github.com/apache/tomcat/commit/7617b9c247bc77ed0444dd69adcd8aa48777886c
- http://www.openwall.com/lists/oss-security/2025/06/16/2
- https://tomcat.apache.org/security-9.html
What are Similar Vulnerabilities to BIT-tomcat-2025-49125?
Similar Vulnerabilities: CVE-2023-46589 , CVE-2022-45133 , CVE-2021-43980 , CVE-2020-13936 , CVE-2019-0232
