PT-2025-23194 · Apache+8 · Apache Tomcat+8

Greg K

Published

2025-05-12

Updated

2026-06-02

CVE-2025-46701

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 11.0.0-M1 through 11.0.6 Apache Tomcat versions 10.1.0-M1 through 10.1.40 Apache Tomcat versions 9.0.0.M1 through 9.0.104

Description The issue is related to improper handling of case sensitivity in Apache Tomcat's GCI servlet, allowing security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to the CGI servlet.

Recommendations For Apache Tomcat versions 11.0.0-M1 through 11.0.6, upgrade to version 11.0.7. For Apache Tomcat versions 10.1.0-M1 through 10.1.40, upgrade to version 10.1.41. For Apache Tomcat versions 9.0.0.M1 through 9.0.104, upgrade to version 9.0.105.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-178

Related Identifiers

ALT-PU-2025-13307

ALT-PU-2025-8715

BDU:2025-09498

BIT-TOMCAT-2025-46701

CVE-2025-46701

DLA-4244-1

GHSA-H2FW-RFH5-95R3

MGASA-2025-0177

OESA-2025-1641

OPENSUSE-SU-2025:15301-1

OPENSUSE-SU-2025:15302-1

OPENSUSE-SU-2025:15303-1

RHSA-2026:18536

RHSA-2026:18537

RHSA-2026:18916

RHSA-2026:2740

SUSE-SU-2025:02214-1

SUSE-SU-2025:02261-1

SUSE-SU-2025:02280-1

SUSE-SU-2025_02214-1

SUSE-SU-2025_02261-1

SUSE-SU-2025_02280-1

SUSE-SU-2026:1058-1

USN-7705-1

Affected Products

Alt Linux

Apache Tomcat

Astra Linux

Bitbucket

Debian

Linuxmint

Red Os

Suse

Ubuntu

PT-2025-23194 · Apache+8 · Apache Tomcat+8

CVE-2025-46701

Weakness Enumeration

Related Identifiers

Affected Products

References · 130