Case Sensitivity Vulnerability in Apache Tomcat GCI Servlet
CVE-2025-46701

7.3HIGH

Key Information:

Vendor: Apache
Status: Apache Tomcat
Vendor: CVE Published:; 29 May 2025

Badges

👾 Exploit Exists📰 News Worthy

What is CVE-2025-46701?

An improper handling of case sensitivity vulnerability exists in the GCI servlet of Apache Tomcat. This flaw allows a bypass of security constraints linked to the pathInfo component of a URI. This can potentially enable malicious users to access restricted resources without proper authorization. Affected versions include Apache Tomcat from 11.0.0-M1 through 11.0.6, 10.1.0-M1 through 10.1.40, and 9.0.0.M1 through 9.0.104. Users should upgrade to versions 11.0.7, 10.1.41, or 9.0.105 to mitigate this risk.

Affected Version(s)

Apache Tomcat 11.0.0-M1 <= 11.0.6

Apache Tomcat 10.1.0-M1 <= 10.1.40

Apache Tomcat 9.0.0.M1 <= 9.0.104

News Articles

GBHackers News

CVE-2025-46701

Apache Tomcat CGI Servlet Flaw Enables Security Constraint Bypass

The flaw, announced on May 29, 2025, is rooted in the improper handling of case sensitivity within the pathInfo component of URLs mapped to the CGI servlet.

3 weeks ago

References

https://lists.apache.org/thread/xhqqk9w5q45srcdqhogdk04lh...

vendor-advisory

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

👾
Exploit known to exist
May 30, 2025
📰
First article discovered by GBHackers News
May 30, 2025
Vulnerability published
May 29, 2025
Vulnerability Reserved
Apr 28, 2025

Credit

Greg K (https://github.com/gregk4sec)