Multiple vulnerabilities in Apache Tomcat
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2025-49125 CVE-2025-49124 CVE-2025-48988 CVE-2025-48976 |
| CWE-ID | CWE-424 CWE-426 CWE-400 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #3 is available. Public exploit code for vulnerability #4 is available. |
| Vulnerable software |
Apache Tomcat Server applications / Web servers |
| Vendor | Apache Foundation |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Improper Protection of Alternate Path
EUVDB-ID: #VU111159
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-49125
CWE-ID:
CWE-424 - Improper Protection of Alternate Path
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to improper access restrictions when using PreResources or PostResources mounted other than at the root of the web application. A remote attacker can bypass configured security rules using a alternate path and gain unauthorized access to the application.
MitigationInstall updates from vendor's website.
Vulnerable software versionsApache Tomcat: 9.0.0 - 11.0.7
CPE2.3- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M1:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M2:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M3:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M4:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M5:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M6:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M7:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M8:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M9:*:*:*:*:*:*:*
https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.8
https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.42
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.106
https://github.com/apache/tomcat/commit/d94bd36fb7eb32e790dae0339bc249069649a637
https://github.com/apache/tomcat/commit/7617b9c247bc77ed0444dd69adcd8aa48777886c
https://github.com/apache/tomcat/commit/9418e3ff9f1f4c006b4661311ae9376c52d162b9
https://lists.apache.org/thread/gp5rzzqnp7q71bm7lsvxoow89nz1tkjw
https://lists.apache.org/thread/n7f5v6fzovfxkpqf5q0cztqqn0kjjs4p
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Untrusted search path
EUVDB-ID: #VU111160
Risk: Low
CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-49124
CWE-ID:
CWE-426 - Untrusted Search Path
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to usage of an untrusted search path in the application's installer on Windows. A local user can place a malicious binary icacls.exe into the current working directory of the installer file end execute arbitrary code with elevated privileges.
Note, the vulnerability affects Windows systems only.
MitigationInstall updates from vendor's website.
Vulnerable software versionsApache Tomcat: 9.0.0 - 11.0.7
CPE2.3- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M1:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M2:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M3:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M4:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M5:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M6:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M7:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M8:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M9:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M10:*:*:*:*:*:*:*
https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.8
https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.42
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.106
https://github.com/apache/tomcat/commit/c56456cda8151c9504dfb7985700824559d769a7
https://github.com/apache/tomcat/commit/e0e07812224d327a321babb554f5a5758d30cc49
https://github.com/apache/tomcat/commit/28726cc2e63bed68771f5eb0f65a78dc7080571823
https://lists.apache.org/thread/p201jp4to0nr4ky9h3j97ywk2zqv185m
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Resource exhaustion
EUVDB-ID: #VU111161
Risk: Medium
CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2025-48988
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when handling multipart requests. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsApache Tomcat: 9.0.0 - 11.0.7
CPE2.3- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M1:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M2:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M3:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M4:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M5:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M6:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M7:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M8:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M9:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M10:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M11:*:*:*:*:*:*:*
https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.8
https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.42
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.106
https://github.com/apache/tomcat/commit/2b0ab14fb55d4edc896e5f1817f2ab76f714ae5e
https://github.com/apache/tomcat/commit/cdde8e655bc1c5c60a07efd216251d77c52fd7f6
https://github.com/apache/tomcat/commit/ee8042ffce4cb9324dfd79efda5984f37bbb6910
https://lists.apache.org/thread/pmtvgndbl12r0rrfnqnnxjcno0nggpbm
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
4) Resource exhaustion
EUVDB-ID: #VU111162
Risk: Medium
CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2025-48976
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to Apache Commons FileUpload provided a hard-coded limit of 10kB for the size of the headers associated with a multipart request. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsApache Tomcat: 9.0.0 - 11.0.7
CPE2.3- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M1:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M2:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M3:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M4:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M5:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M6:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M7:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M8:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M9:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M10:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M11:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_tomcat:9.0.0-M12:*:*:*:*:*:*:*
https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.8
https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.42
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.106
https://github.com/apache/tomcat/commit/74f69ffaf61e54c727603e7e831fe20f0ac5d2a7
https://github.com/apache/tomcat/commit/667ddd76e2a0e762f3a784d86f0d25e7fd7cdb86
https://github.com/apache/tomcat/commit/97790a35a27d236fa053e660676c3f8196284d93
https://lists.apache.org/thread/3c3q2hv3vv7bz15p4vxx9dpbqbrzpyvm
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
