CVE-2025-49125
BaseFortify
Publication date: 2025-06-16
Last updated on: 2025-11-03
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | tomcat | From 9.0.0 (inc) to 9.0.106 (exc) |
| apache | tomcat | From 10.1.0 (inc) to 10.1.42 (exc) |
| apache | tomcat | From 11.0.0 (inc) to 11.0.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-288 | The product requires authentication, but the product has an alternate path or channel that does not require authentication. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Apache Tomcat allows an attacker to bypass authentication by accessing PreResources or PostResources mounted at locations other than the root of the web application through an unexpected path. This alternate path is likely not protected by the same security constraints as the expected path, enabling the attacker to bypass security controls.
How can this vulnerability impact me? :
The vulnerability can allow unauthorized users to access protected resources within an Apache Tomcat web application by exploiting alternate paths that bypass security constraints. This could lead to unauthorized access to sensitive information or functionality that should be restricted.
What immediate steps should I take to mitigate this vulnerability?
Users are recommended to upgrade Apache Tomcat to version 11.0.8, 10.1.42, or 9.0.106, which fix the issue.