Main Vulnerability Database Vulnerabilities #VU117681

Path traversal in Apache Tomcat - CVE-2025-55752

Published: October 27, 2025 / Updated: October 31, 2025

Vulnerability identifier: #VU117681

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/U:Amber

CVE-ID: CVE-2025-55752

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vendor: Apache Foundation

Affected software:
Apache Tomcat

Detailed vulnerability description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to input validation error when processing directory traversal sequences passed via Rewrite Valve. A remote attacker can send a specially crafted HTTP PUT request and write arbitrary files to the server, leading to remote code execution.

How to mitigate CVE-2025-55752

Install updates from vendor's website.

Sources

https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.11
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.109
https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.45
https://lists.apache.org/thread/2fbxt6dpjnpvgn4mkxt6mzvkhnno1yy9

Path traversal in Apache Tomcat - CVE-2025-55752

Detailed vulnerability description

How to mitigate CVE-2025-55752

Sources

Please verify you're human