Security restrictions bypass in Apache Tomcat
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2025-46701 |
| CWE-ID | CWE-178 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Apache Tomcat Server applications / Web servers |
| Vendor | Apache Foundation |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Improper handling of case sensitivity
EUVDB-ID: #VU109959
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-46701
CWE-ID:
CWE-178 - Improper Handling of Case Sensitivity
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions.
The vulnerability exists due to an error when handling URLs on a case insensitive filesystem with security constraints configured for the <code>pathInfo</code> component of a URL that mapped to the CGI servlet. A remote attacker can bypass imposed security constraints via a specially crafted URL.
MitigationInstall updates from vendor's website.
Vulnerable software versionsApache Tomcat: 9.0.0 - 11.0.6
CPE2.3- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M1:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M2:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M3:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M4:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M5:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M6:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M7:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M8:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M9:*:*:*:*:*:*:*
https://lists.apache.org/thread/qyrz13o6960cfg33tz9ghld647884kvd
https://github.com/apache/tomcat/commit/fab7247d2f0e3a29d5daef565f829f383e10e5e2
https://github.com/apache/tomcat/commit/0f01966eb60015d975525019e12a087f05ebf01a
https://github.com/apache/tomcat/commit/2c6800111e7d8d8d5403c07978ea9bff3db5a5a5
https://github.com/apache/tomcat/commit/238d2aa54b99f91d1111467e2237d2244c64e558
https://github.com/apache/tomcat/commit/8df00018a252baa9497615d6420fb6c10466fa74
https://github.com/apache/tomcat/commit/8cb95ff03221067c511b3fa66d4f745bc4b0a605
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
