CVE-2025-46701
Improper Handling of Case Sensitivity vulnerability in tomcat-embed-core (Maven)
What is CVE-2025-46701 About?
This vulnerability in Apache Tomcat's CGI servlet allows a security constraint bypass due to improper handling of case sensitivity in URI pathInfo components. An attacker can craft a request that evades security constraints, potentially gaining unauthorized access. Exploitation requires specific configurations and is moderately complex.
Affected Software
- org.apache.tomcat:tomcat-catalina
- >11.0.0-M1, <11.0.7
- >8.5.0, <=8.5.100
- >10.1.0-M1, <10.1.41
- >9.0.0.M1, <9.0.105
- org.apache.tomcat.embed:tomcat-embed-core
- >11.0.0-M1, <11.0.7
- >8.5.0, <=8.5.100
- >10.1.0-M1, <10.1.41
- >9.0.0.M1, <9.0.105
Technical Details
The vulnerability affects Apache Tomcat's CGI servlet across multiple versions (11.0.0-M1 through 11.0.6, 10.1.0-M1 through 10.1.40, 9.0.0.M1 through 9.0.104, and older EOL versions). It is categorized as improper handling of case sensitivity, specifically related to the pathInfo component of a URI mapped to the CGI servlet. When security constraints are applied to URIs, their enforcement might rely on a case-sensitive match. An attacker can exploit this by crafting a request where the pathInfo component uses an altered case (e.g., 'path/to/script.cgi/ADMIN' vs 'path/to/script.cgi/admin'). If the security constraint is only applied to one case, the other case might not be subject to the same constraint, allowing the attacker to bypass the intended security measure and gain unauthorized access or execute commands via the CGI servlet.
What is the Impact of CVE-2025-46701?
Successful exploitation may allow attackers to bypass security constraints, leading to unauthorized access to restricted CGI resources or functionalities, and potentially enabling command execution or information disclosure.
What is the Exploitability of CVE-2025-46701?
Exploitation requires sending a specially crafted HTTP request to a vulnerable Apache Tomcat instance where the CGI servlet is enabled and security constraints are applied to its pathInfo. The complexity is moderate, as it requires understanding how the CGI servlet maps URIs and how security constraints are defined. No explicit authentication or privilege is required to initiate the attack; the goal is to bypass existing security. This is a remote vulnerability. Special conditions include the use of the CGI servlet and the application of security constraints that do not account for case-insensitivity in URI matching on pathInfo. The likelihood of exploitation increases if an application heavily relies on the CGI servlet for critical functionality with security constraints that might inadvertently be case-sensitive, and if these configurations are not thoroughly audited.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| gregk4sec | Link | Tomcat CVE-2025-46701 PoC |
What are the Available Fixes for CVE-2025-46701?
About the Fix from Resolved Security
This patch modifies the Tomcat CGIServlet to use the WebResource API for accessing CGI scripts instead of directly interacting with the file system or servlet context resources, ensuring resource access follows Tomcat's internal security controls and abstraction. By standardizing resource access and preventing direct reliance on filesystem paths, it mitigates the path traversal and arbitrary file access risks described in CVE-2025-46701.
Available Upgrade Options
- org.apache.tomcat.embed:tomcat-embed-core
- >9.0.0.M1, <9.0.105 → Upgrade to 9.0.105
- org.apache.tomcat.embed:tomcat-embed-core
- >10.1.0-M1, <10.1.41 → Upgrade to 10.1.41
- org.apache.tomcat.embed:tomcat-embed-core
- >11.0.0-M1, <11.0.7 → Upgrade to 11.0.7
- org.apache.tomcat:tomcat-catalina
- >9.0.0.M1, <9.0.105 → Upgrade to 9.0.105
- org.apache.tomcat:tomcat-catalina
- >10.1.0-M1, <10.1.41 → Upgrade to 10.1.41
- org.apache.tomcat:tomcat-catalina
- >11.0.0-M1, <11.0.7 → Upgrade to 11.0.7
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread/xhqqk9w5q45srcdqhogdk04lhdscv30j
- https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.41
- https://github.com/apache/tomcat
- https://github.com/apache/tomcat/commit/8cb95ff03221067c511b3fa66d4f745bc4b0a605
- https://github.com/apache/tomcat/commit/2c6800111e7d8d8d5403c07978ea9bff3db5a5a5
- http://www.openwall.com/lists/oss-security/2025/05/29/4
- http://www.openwall.com/lists/oss-security/2025/05/29/4
- https://github.com/apache/tomcat/commit/8df00018a252baa9497615d6420fb6c10466fa74
- https://github.com/apache/tomcat/commit/0f01966eb60015d975525019e12a087f05ebf01a
- https://nvd.nist.gov/vuln/detail/CVE-2025-46701
What are Similar Vulnerabilities to CVE-2025-46701?
Similar Vulnerabilities: CVE-2021-42340 , CVE-2021-26702 , CVE-2020-13935 , CVE-2016-0714 , CVE-2015-5345
