Authentication Bypass Vulnerability in Apache Tomcat
CVE-2025-49125

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Tomcat
Vendor: CVE Published:; 16 June 2025

What is CVE-2025-49125?

The vulnerability in Apache Tomcat allows unauthorized access to certain resources when using PreResources or PostResources configured outside the root of the web application. This misconfiguration permits access through unexpected paths that do not enforce the same security constraints, leading to potential exploitation of sensitive data or resources. Users are advised to upgrade to the most recent versions to mitigate this risk.

Affected Version(s)

Apache Tomcat 11.0.0-M1 <= 11.0.7

Apache Tomcat 10.1.0-M1 <= 10.1.41

Apache Tomcat 9.0.0.M1 <= 9.0.105

References

https://lists.apache.org/thread/m66cytbfrty9k7dc4cg6tl1cz...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 16, 2025
Vulnerability Reserved
Jun 2, 2025

Credit

Greg K (https://github.com/gregk4sec)