Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <6f098cf1-6aba-4e35-b72f-af8994cef75d@apache.org>
Date: Mon, 16 Jun 2025 15:18:47 +0100
From: Mark Thomas <markt@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-49125: Apache Tomcat: Security constraint bypass for
 pre/post-resources

Severity: moderate

Affected versions:

- Apache Tomcat 11.0.0-M1 through 11.0.7
- Apache Tomcat 10.1.0-M1 through 10.1.41
- Apache Tomcat 9.0.0.M1 through 9.0.105

Description:

Authentication Bypass Using an Alternate Path or Channel vulnerability 
in Apache Tomcat.  When using PreResources or PostResources mounted 
other than at the root of the web application, it was possible to access 
those resources via an unexpected path. That path was likely not to be 
protected by the same security constraints as the expected path, 
allowing those security constraints to be bypassed.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 
10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105.

Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, 
which fix the issue.

Credit:

Greg K (https://github.com/gregk4sec) (finder)

References:

https://lists.apache.org/thread/m66cytbfrty9k7dc4cg6tl1czhsnbywk
https://tomcat.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-49125

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.