Improper authorization in Apache Tomcat - CVE-2025-66614
Published: February 17, 2026 / Updated: February 18, 2026
Vulnerability identifier: #VU122998
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2025-66614
CWE-ID: CWE-285
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Apache Foundation
Affected software:
Apache Tomcat
Apache Tomcat
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass client certificate verification.
The vulnerability exists due to Tomcat does not validate that the host name provided via the SNI extension is the same as the host name provided in the HTTP host header field. If there is more than one virtual host configured and the TLS configuration for one of those hosts does not require client certificate authentication, it is possible for a client to bypass the client certificate authentication for the target host by sending different host names in the SNI extension and the HTTP host header field.
How to mitigate CVE-2025-66614
Install updates from vendor's website.
Sources
- https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.50
- https://github.com/apache/tomcat/commit/972f9a5e2a07674d92610c478aac1b205d60724e
- https://github.com/apache/tomcat/commit/5053fa82a1b2b52756810601227984a8b71888a4
- https://github.com/apache/tomcat/commit/258a591b61f8cf5c22109e21e5a2a38b63454fd2
- https://github.com/apache/tomcat/commit/152c14885d45f5e0a8b59bd9f93c289cfe20ce30
- https://github.com/apache/tomcat/commit/a4aa74232e826028cd2f7ba0445caf8a8b52c509
- https://github.com/apache/tomcat/commit/9276b5e783c8cd5b3fe2bb716306b65004bdd940
- https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.113
- https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.15
- https://lists.apache.org/thread/4zz70o7rnzto7q7jxhrpdhdg7pfos6s2