Case Sensitivity Vulnerability in Apache Tomcat GCI Servlet
CVE-2025-46701

7.3HIGH

Key Information:

Vendor: Apache
Status: Apache Tomcat
Vendor: CVE Published:; 29 May 2025

What is CVE-2025-46701?

An improper handling of case sensitivity vulnerability exists in the GCI servlet of Apache Tomcat. This flaw allows a bypass of security constraints linked to the pathInfo component of a URI. This can potentially enable malicious users to access restricted resources without proper authorization. Affected versions include Apache Tomcat from 11.0.0-M1 through 11.0.6, 10.1.0-M1 through 10.1.40, and 9.0.0.M1 through 9.0.104. Users should upgrade to versions 11.0.7, 10.1.41, or 9.0.105 to mitigate this risk.

Affected Version(s)

Apache Tomcat 11.0.0-M1 <= 11.0.6

Apache Tomcat 10.1.0-M1 <= 10.1.40

Apache Tomcat 9.0.0.M1 <= 9.0.104

References

https://lists.apache.org/thread/xhqqk9w5q45srcdqhogdk04lh...

vendor-advisory

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 29, 2025
Vulnerability Reserved
Apr 28, 2025

Credit

Greg K (https://github.com/gregk4sec)