CVE-2025-55752 Apache Tomcat - Directory traversal via rewrite with
possible RCE if PUT is enabled
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.10
Apache Tomcat 10.1.0-M1 to 10.1.44
Apache Tomcat 9.0.0.M11 to 9.0.108
Older, EOL versions may also be affected
Description:
The fix for bug 60013 introduced a regression where the rewritten URL
was normalized before it was decoded. This introduced the possibility
that, for rewrite rules that rewrite query parameters to the URL, an
attacker could manipulate the request URI to bypass security constraints
including the protection for /WEB-INF/ and /META-INF/. If PUT requests
were also enabled then malicious files could be uploaded leading to
remote code execution. PUT requests are normally limited to trusted
users and it is considered unlikely that PUT requests would be enabled
in conjunction with a rewrite that manipulated the URI.
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 11.0.11 or later
- Upgrade to Apache Tomcat 10.1.45 or later
- Upgrade to Apache Tomcat 9.0.109 or later
Credit:
Chumy Tsai (github.com/Jimmy01240397) @ CyCraft Technology Intern
History:
2025-10-27 Original advisory
References:
[1] https://tomcat.apache.org/security-11.html
[2] https://tomcat.apache.org/security-10.html
[3] https://tomcat.apache.org/security-9.html
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
