Hi Mark, Thank you for clarifying this.
I’ve checked both Tomcat's* server.xml* and the application’s *context.xml*, and confirmed that *RewriteValve* is not enabled in either location. Based on your guidance, our Tomcat instances should not be affected by this CVE. I appreciate your insight and the recommendation regarding rewrite rules—it’s good to know that updating would be the safer option if RewriteValve were ever enabled. Thanks again for your support. Best regards, Thiru On Thu, Oct 30, 2025 at 2:33 PM Mark Thomas <[email protected]> wrote: > On 30/10/2025 04:34, Thiru wrote: > > Hello Team, > > > > Good morning. > > > > I would greatly appreciate your guidance on the following question > > regarding CVE-2025-55752: > > > > In a default Tomcat setup, the RewriteValve is not enabled by default. > > Based on this, is it correct to assume that this vulnerability does not > > affect default Tomcat installations? > > As long as the RewriteValve has not been enabled (keep in mind it could > be configured at either the Tomcat or the application level), a Tomcat > instance will not be vulnerable to this CVE. > > If the RewriteValve has been enabled, it will depend on the content of > the rewrite rules. In that scenario, I'd view updating rather than > reviewing the rewrite rules as the safer option. > > Mark > > > > > Thank you for your time and assistance. I look forward to your insights. > > > > Kind regards, > > Thiru > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
