PT-2025-25560 · Apache+10 · Apache Tomcat+10
Greg K
·
Published
2025-01-01
·
Updated
2026-04-28
·
CVE-2025-49125
CVSS v2.0
7.8
High
| Vector | AV:N/AC:L/Au:N/C:C/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Apache Tomcat versions 11.0.0-M1 through 11.0.7
Apache Tomcat versions 10.1.0-M1 through 10.1.41
Apache Tomcat versions 9.0.0.M1 through 9.0.105
Description
The issue is related to an Authentication Bypass Using an Alternate Path or Channel vulnerability. When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. This path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed.
Recommendations
For Apache Tomcat versions 11.0.0-M1 through 11.0.7, upgrade to version 11.0.8.
For Apache Tomcat versions 10.1.0-M1 through 10.1.41, upgrade to version 10.1.42.
For Apache Tomcat versions 9.0.0.M1 through 9.0.105, upgrade to version 9.0.106.
Fix
DoS
Authentication Bypass Using an Alternate Path or Channel
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Almalinux
Apache Tomcat
Astra Linux
Bitbucket
Centos
Debian
Red Hat
Red Os
Rocky Linux
Suse