Authentication Bypass Vulnerability in Apache Tomcat
CVE-2025-49125

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Tomcat
Vendor: CVE Published:; 16 June 2025

What is CVE-2025-49125?

The vulnerability in Apache Tomcat allows unauthorized access to certain resources when using PreResources or PostResources configured outside the root of the web application. This misconfiguration permits access through unexpected paths that do not enforce the same security constraints, leading to potential exploitation of sensitive data or resources. Users are advised to upgrade to the most recent versions to mitigate this risk.

Affected Version(s)

Apache Tomcat 11.0.0-M1 <= 11.0.7

Apache Tomcat 10.1.0-M1 <= 10.1.41

Apache Tomcat 9.0.0.M1 <= 9.0.105

References

https://lists.apache.org/thread/m66cytbfrty9k7dc4cg6tl1cz...

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 16, 2025
Vulnerability Reserved
Jun 2, 2025

Credit

Greg K (https://github.com/gregk4sec)

JSON