Improper Neutralization in Apache Tomcat's Rewrite Rules
CVE-2025-31651

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Tomcat
Vendor: CVE Published:; 28 April 2025

Badges

📰 News Worthy

Summary

A vulnerability exists within Apache Tomcat affecting specific versions, where an improper neutralization of escape sequences in certain rewrite rule configurations allows for crafted requests to bypass security constraints. If these bypassed rules are meant to enforce security limits, it could lead to unauthorized access or malicious actions. It is crucial for users operating affected versions to upgrade to the recommended fixed version to safeguard against potential exploits.

Affected Version(s)

Apache Tomcat 11.0.0-M1 <= 11.0.5

Apache Tomcat 10.1.0-M1 <= 10.1.39

Apache Tomcat 9.0.0.M1 <= 9.0.102

News Articles

Cyber Security Agency of Singapore

CVE-2025-31650 CVE-2025-31651

Multiple Vulnerabilities in Apache Tomcat Software

The Apache Software Foundation has released updates addressing multiple vulnerabilities affecting their Apache Tomcat software. Users and administrators of...

1 week ago

References

https://lists.apache.org/[email protected]...

vendor-advisory

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

📰
First article discovered by Cyber Security Agency of Singapore
Apr 30, 2025
Vulnerability published
Apr 28, 2025
Vulnerability Reserved
Mar 31, 2025

Credit

COSCO Shipping Lines DIC