CVE-2025-55752: Apache Tomcat Path Traversal Vulnerability

CVE-2025-55752 Overview

A relative path traversal vulnerability exists in Apache Tomcat that stems from a regression introduced during the fix for bug 60013. The issue occurs because the rewritten URL is normalized before being decoded, which creates a security gap when rewrite rules manipulate query parameters to the URL. An attacker can exploit this flaw to manipulate request URIs and bypass security constraints, including protections for sensitive directories like /WEB-INF/ and /META-INF/. When combined with enabled PUT requests, this vulnerability can lead to remote code execution through malicious file uploads.

Critical Impact
Attackers can bypass security constraints to access protected directories and potentially achieve remote code execution if PUT requests are enabled. The vulnerability affects multiple versions across Apache Tomcat 9.x, 10.x, and 11.x branches.

Affected Products

Apache Tomcat 11.0.0-M1 through 11.0.10
Apache Tomcat 10.1.0-M1 through 10.1.44
Apache Tomcat 9.0.0.M11 through 9.0.108
Apache Tomcat 8.5.6 through 8.5.100 (EOL versions)

Discovery Timeline

2025-10-27 - CVE-2025-55752 published to NVD
2025-11-14 - Last updated in NVD database

Technical Details for CVE-2025-55752

Vulnerability Analysis

This vulnerability is classified as CWE-23 (Relative Path Traversal). The flaw originates from an incorrect processing order in URL handling where normalization occurs before decoding. When Apache Tomcat's rewrite valve processes incoming requests, it should decode URL-encoded characters before normalizing the path to prevent traversal sequences. However, the regression in bug 60013's fix reversed this order, allowing encoded traversal sequences like %2e%2e%2f (representing ../) to survive normalization and then be decoded into active path traversal characters.

The attack requires network access and some level of authentication, but the complexity is reduced when specific rewrite rules are in place. The impact is significant: an attacker can bypass web application security constraints that protect sensitive directories containing configuration files, deployment descriptors, and application metadata.

Root Cause

The root cause is an order-of-operations error in URL processing logic. The fix for bug 60013 inadvertently changed the sequence so that URL normalization (which resolves .. and . path segments) happens before URL decoding (which converts %XX encoded characters). This creates a window where encoded path traversal sequences bypass the normalization step entirely, then get decoded into their dangerous form after security checks have already passed.

Attack Vector

The attack is conducted over the network by sending crafted HTTP requests with URL-encoded path traversal sequences in the request URI. When rewrite rules are configured to manipulate query parameters into the URL path, an attacker can construct malicious URIs that:

Pass through initial security constraint checks in their encoded form
Get normalized (with no effect since traversal sequences are still encoded)
Get decoded, revealing the path traversal sequences
Access protected resources like /WEB-INF/web.xml or /META-INF/context.xml

If PUT requests are enabled (typically only for trusted users), attackers could upload malicious JSP files or other executable content, leading to remote code execution. The exploitation path requires specific server configurations including active rewrite rules that manipulate URIs and potentially enabled PUT methods.

Detection Methods for CVE-2025-55752

Indicators of Compromise

HTTP requests containing URL-encoded path traversal sequences such as %2e%2e%2f or %2e%2e%5c in the request URI
Access attempts to /WEB-INF/ or /META-INF/ directories from external sources
Unusual PUT requests attempting to write files to web application directories
Log entries showing decoded paths accessing protected directories after rewrite processing

Detection Strategies

Monitor web server access logs for requests containing encoded traversal patterns that resolve to protected directories
Implement Web Application Firewall (WAF) rules to detect and block requests with suspicious URL-encoded sequences
Review Apache Tomcat access logs for 200 responses to requests targeting /WEB-INF/ or /META-INF/ resources
Deploy endpoint detection and response (EDR) solutions to identify suspicious file write operations in web application directories

Monitoring Recommendations

Enable detailed logging in Apache Tomcat to capture full request URIs before and after rewrite processing
Configure alerting for any successful access to protected web application directories
Monitor for new or modified files in web application deployment directories, particularly JSP or class files
Review rewrite valve configurations periodically for rules that may introduce security risks

How to Mitigate CVE-2025-55752

Immediate Actions Required

Upgrade Apache Tomcat to version 11.0.11 or later, 10.1.45 or later, or 9.0.109 or later immediately
Disable PUT method support if it is not strictly required for application functionality
Review and audit all rewrite valve rules for configurations that manipulate query parameters into URL paths
Implement additional access controls at the network or WAF level to restrict access to sensitive directories

Patch Information

Apache has released patched versions that correct the URL processing order. Users should upgrade to the following fixed versions:

Tomcat 11.x: Upgrade to version 11.0.11 or later
Tomcat 10.1.x: Upgrade to version 10.1.45 or later
Tomcat 9.0.x: Upgrade to version 9.0.109 or later

Users running EOL versions (8.5.x and earlier) should migrate to a supported branch. For detailed patch information, refer to the Apache Security Advisory or the Openwall OSS-Security Update.

Workarounds

Disable or carefully review rewrite rules that manipulate query parameters into URL paths until patching is complete
Implement strict WAF rules to block URL-encoded path traversal sequences at the perimeter
Restrict access to the Tomcat server to trusted networks only if immediate patching is not feasible
Disable the PUT method by removing or commenting out the relevant configuration in web.xml

bash

# Disable PUT method in Apache Tomcat web.xml
# Add security constraint to block PUT requests
# Location: $CATALINA_HOME/conf/web.xml

# Example: Verify Tomcat version to determine if vulnerable
catalina.sh version

# Example: Check for rewrite valve configuration
grep -r "RewriteValve" $CATALINA_HOME/conf/

CVE-2025-55752 Overview

Critical Impact
Attackers can bypass security constraints to access protected directories and potentially achieve remote code execution if PUT requests are enabled. The vulnerability affects multiple versions across Apache Tomcat 9.x, 10.x, and 11.x branches.

Affected Products

Apache Tomcat 11.0.0-M1 through 11.0.10
Apache Tomcat 10.1.0-M1 through 10.1.44
Apache Tomcat 9.0.0.M11 through 9.0.108
Apache Tomcat 8.5.6 through 8.5.100 (EOL versions)

Discovery Timeline

2025-10-27 - CVE-2025-55752 published to NVD
2025-11-14 - Last updated in NVD database

Technical Details for CVE-2025-55752

Vulnerability Analysis

Root Cause

Attack Vector

Pass through initial security constraint checks in their encoded form
Get normalized (with no effect since traversal sequences are still encoded)
Get decoded, revealing the path traversal sequences
Access protected resources like /WEB-INF/web.xml or /META-INF/context.xml

Detection Methods for CVE-2025-55752

Indicators of Compromise

HTTP requests containing URL-encoded path traversal sequences such as %2e%2e%2f or %2e%2e%5c in the request URI
Access attempts to /WEB-INF/ or /META-INF/ directories from external sources
Unusual PUT requests attempting to write files to web application directories
Log entries showing decoded paths accessing protected directories after rewrite processing

Detection Strategies

Monitor web server access logs for requests containing encoded traversal patterns that resolve to protected directories
Implement Web Application Firewall (WAF) rules to detect and block requests with suspicious URL-encoded sequences
Review Apache Tomcat access logs for 200 responses to requests targeting /WEB-INF/ or /META-INF/ resources
Deploy endpoint detection and response (EDR) solutions to identify suspicious file write operations in web application directories

Monitoring Recommendations

Enable detailed logging in Apache Tomcat to capture full request URIs before and after rewrite processing
Configure alerting for any successful access to protected web application directories
Monitor for new or modified files in web application deployment directories, particularly JSP or class files
Review rewrite valve configurations periodically for rules that may introduce security risks

How to Mitigate CVE-2025-55752

Immediate Actions Required

Upgrade Apache Tomcat to version 11.0.11 or later, 10.1.45 or later, or 9.0.109 or later immediately
Disable PUT method support if it is not strictly required for application functionality
Review and audit all rewrite valve rules for configurations that manipulate query parameters into URL paths
Implement additional access controls at the network or WAF level to restrict access to sensitive directories

Patch Information

Apache has released patched versions that correct the URL processing order. Users should upgrade to the following fixed versions:

Tomcat 11.x: Upgrade to version 11.0.11 or later
Tomcat 10.1.x: Upgrade to version 10.1.45 or later
Tomcat 9.0.x: Upgrade to version 9.0.109 or later

Users running EOL versions (8.5.x and earlier) should migrate to a supported branch. For detailed patch information, refer to the Apache Security Advisory or the Openwall OSS-Security Update.

Workarounds

Disable or carefully review rewrite rules that manipulate query parameters into URL paths until patching is complete
Implement strict WAF rules to block URL-encoded path traversal sequences at the perimeter
Restrict access to the Tomcat server to trusted networks only if immediate patching is not feasible
Disable the PUT method by removing or commenting out the relevant configuration in web.xml

bash

# Disable PUT method in Apache Tomcat web.xml
# Add security constraint to block PUT requests
# Location: $CATALINA_HOME/conf/web.xml

# Example: Verify Tomcat version to determine if vulnerable
catalina.sh version

# Example: Check for rewrite valve configuration
grep -r "RewriteValve" $CATALINA_HOME/conf/

CVE-2025-55752: Apache Tomcat Path Traversal Vulnerability

CVE-2025-55752 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-55752

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-55752

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-55752

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2025-55752: Apache Tomcat Path Traversal Vulnerability

CVE-2025-55752 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2025-55752

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2025-55752

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2025-55752

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform