CVE-2025-55752
Security Bypass vulnerability in tomcat (Maven)
What is CVE-2025-55752 About?
This vulnerability is a security bypass affecting Apache Tomcat due to a regression in URL processing, allowing attackers to bypass security constraints. By manipulating the request URI, attackers can access restricted resources like /WEB-INF/ and /META-INF/. If PUT requests are also enabled, this could lead to remote code execution, making it a critical threat that is moderately complex to exploit.
Affected Software
- org.apache.tomcat:tomcat
- >10.1.0-M1, <10.1.45
- >9.0.0.40, <9.0.109
- >8.5.60, <=8.5.100
- >11.0.0-M1, <11.0.11
- org.apache.tomcat:tomcat-catalina
- >10.1.0-M1, <10.1.45
- >9.0.0.40, <9.0.109
- >8.5.60, <=8.5.100
- >11.0.0-M1, <11.0.11
- org.apache.tomcat.embed:tomcat-embed-core
- >10.1.0-M1, <10.1.45
- >9.0.0.40, <9.0.109
- >8.5.60, <=8.5.100
- >11.0.0-M1, <11.0.11
Technical Details
The vulnerability is a regression stemming from a prior fix (bug 60013) that caused the rewritten URL to be normalized before it was decoded. This incorrect order of operations creates a parsing ambiguity. If rewrite rules are configured to manipulate query parameters and rewrite them into the URL path, an attacker can craft a request URI that, when processed, bypasses security constraints intended to protect sensitive directories such as /WEB-INF/ and /META-INF/. If the server is also configured to allow PUT requests (though this is uncommon for untrusted users), an attacker could then upload malicious files to these sensitive directories, potentially achieving remote code execution.
What is the Impact of CVE-2025-55752?
Successful exploitation may allow attackers to bypass security constraints, gain unauthorized access to sensitive application resources and configuration files, and potentially achieve remote code execution, leading to full system compromise.
What is the Exploitability of CVE-2025-55752?
Exploitation of this vulnerability is a remote operation. It typically requires no authentication for the initial bypass, but gaining remote code execution via file upload (PUT requests) would likely require authenticated access or specific vulnerable configurations where PUT is enabled for unprivileged users. There are no specific privilege requirements for the initial bypass, but elevated privileges would be implicitly gained by accessing protected resources. The complexity lies in crafting the specific vulnerable URI manipulation that triggers the bypass in conjunction with rewrite rules. The presence of rewrite rules that manipulate query parameters into the URL and, critically, the rare scenario where PUT requests are enabled for untrusted users significantly increase the exploitation likelihood and impact.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| TAM-K592 | Link | CVE-2025-55752, Apache Tomcat that allows directory traversal via URL rewrite, and under certain conditions, leads to remote code execution (RCE) if HTTP PUT is enabled. |
What are the Available Fixes for CVE-2025-55752?
About the Fix from Resolved Security
Available Upgrade Options
- org.apache.tomcat:tomcat
- >9.0.0.40, <9.0.109 → Upgrade to 9.0.109
- org.apache.tomcat:tomcat
- >10.1.0-M1, <10.1.45 → Upgrade to 10.1.45
- org.apache.tomcat:tomcat
- >11.0.0-M1, <11.0.11 → Upgrade to 11.0.11
- org.apache.tomcat:tomcat-catalina
- >9.0.0.40, <9.0.109 → Upgrade to 9.0.109
- org.apache.tomcat:tomcat-catalina
- >10.1.0-M1, <10.1.45 → Upgrade to 10.1.45
- org.apache.tomcat:tomcat-catalina
- >11.0.0-M1, <11.0.11 → Upgrade to 11.0.11
- org.apache.tomcat.embed:tomcat-embed-core
- >9.0.0.40, <9.0.109 → Upgrade to 9.0.109
- org.apache.tomcat.embed:tomcat-embed-core
- >10.1.0-M1, <10.1.45 → Upgrade to 10.1.45
- org.apache.tomcat.embed:tomcat-embed-core
- >11.0.0-M1, <11.0.11 → Upgrade to 11.0.11
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread/n05kjcwyj1s45ovs8ll1qrrojhfb1tog
- https://github.com/apache/tomcat/commit/fec06c610ed7466b401e29cc567a58aee5ed826a
- https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.11
- https://github.com/apache/tomcat/commit/130d36d8492ef9e4eb22952c17c92423cb35fd06
- https://github.com/apache/tomcat/commit/b5042622b8b78340ae65403c55dcb9c7416924df
- https://lists.apache.org/thread/n05kjcwyj1s45ovs8ll1qrrojhfb1tog
- https://nvd.nist.gov/vuln/detail/CVE-2025-55752
- https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.109
- https://github.com/apache/tomcat
- https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.45
What are Similar Vulnerabilities to CVE-2025-55752?
Similar Vulnerabilities: CVE-2022-42282 , CVE-2021-42302 , CVE-2020-13935 , CVE-2019-0232 , CVE-2017-5647
