BIT-tomcat-2025-66614
Improper Input Validation vulnerability in tomcat-embed-core (Maven)

Improper Input Validation No known exploit

What is BIT-tomcat-2025-66614 About?

This Improper Input Validation vulnerability in Apache Tomcat allows a client to bypass client certificate authentication. By manipulating hostnames in the SNI extension and HTTP host header, an attacker can bypass security controls. Exploitation is moderate, requiring a specific server configuration and understanding of TLS and HTTP protocols.

Affected Software

  • org.apache.tomcat.embed:tomcat-embed-core
    • >=10.1.0-M1, <10.1.49
    • >=11.0.0-M1, <11.0.14
    • <9.0.112
  • org.apache.tomcat:tomcat
    • >=10.1.0-M1, <10.1.49
    • >=11.0.0-M1, <11.0.14
    • <9.0.112
  • org.apache.tomcat:tomcat-catalina
    • >=10.1.0-M1, <10.1.49
    • >=11.0.0-M1, <11.0.14
    • <9.0.112

Technical Details

Apache Tomcat versions from 11.0.0-M1 through 11.0.14, 10.1.0-M1 through 10.1.49, and 9.0.0-M1 through 9.0.112 are vulnerable due to a failure to validate that the hostname provided in the SNI extension matches the hostname in the HTTP Host header. If Tomcat is configured with multiple virtual hosts where one requires client certificate authentication via the Connector (and not the web application) and another does not, an attacker can provide the hostname of the certificate-requiring host in the SNI and the hostname of the non-certificate-requiring host in the HTTP Host header. This mismatch causes Tomcat to incorrectly apply the less restrictive authentication policy, thus bypassing client certificate authentication.

What is the Impact of BIT-tomcat-2025-66614?

Successful exploitation may allow attackers to bypass client certificate authentication, gaining unauthorized access to resources that should be protected.

What is the Exploitability of BIT-tomcat-2025-66614?

Exploitation requires a specific setup of Apache Tomcat: multiple virtual hosts, where client certificate authentication is enforced at the Connector level for one host and not for another. The attacker must control both the SNI hostname and the HTTP Host header. This indicates a moderate complexity of exploitation. There are no direct authentication requirements for the initial bypass attempt, but the attack's goal is to bypass a certificate-based authentication. Privilege requirements are low, as it's a client-side initiated bypass. This is a remote vulnerability. A critical constraint is that client certificate authentication must be configured at the Connector level, not within the web application itself.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for BIT-tomcat-2025-66614?

Available Upgrade Options

  • org.apache.tomcat:tomcat
    • <9.0.112 → Upgrade to 9.0.112
  • org.apache.tomcat:tomcat
    • >=10.1.0-M1, <10.1.49 → Upgrade to 10.1.49
  • org.apache.tomcat:tomcat
    • >=11.0.0-M1, <11.0.14 → Upgrade to 11.0.14
  • org.apache.tomcat:tomcat-catalina
    • <9.0.112 → Upgrade to 9.0.112
  • org.apache.tomcat:tomcat-catalina
    • >=10.1.0-M1, <10.1.49 → Upgrade to 10.1.49
  • org.apache.tomcat:tomcat-catalina
    • >=11.0.0-M1, <11.0.14 → Upgrade to 11.0.14
  • org.apache.tomcat.embed:tomcat-embed-core
    • <9.0.112 → Upgrade to 9.0.112
  • org.apache.tomcat.embed:tomcat-embed-core
    • >=10.1.0-M1, <10.1.49 → Upgrade to 10.1.49
  • org.apache.tomcat.embed:tomcat-embed-core
    • >=11.0.0-M1, <11.0.14 → Upgrade to 11.0.14

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to BIT-tomcat-2025-66614?

Similar Vulnerabilities: CVE-2023-44487 , CVE-2021-42340 , CVE-2020-9484 , CVE-2017-15705 , CVE-2016-8745

All Rights reserved 2025
Privacy Policy