Relative Path Traversal Vulnerability in Apache Tomcat by Apache
CVE-2025-55752
Key Information:
- Vendor
Apache
- Status
- Vendor
- CVE Published:
- 27 October 2025
Badges
What is CVE-2025-55752?
CVE-2025-55752 is a relative path traversal vulnerability affecting the Apache Tomcat web server, a widely used open-source implementation of the Java Servlet, JavaServer Pages, and Expression Language technologies. This vulnerability arises from the mishandling of URL rewriting in the Tomcat server, specifically due to a regression created when a fix was implemented for a separate bug. The flaw allows attackers to manipulate request URIs to bypass critical security constraints, such as those guarding the /WEB-INF/ and /META-INF/ directories. If the server is configured to allow PUT requests—typically restricted to trusted users—this vulnerability could enable the upload of malicious files, potentially leading to remote code execution. This security loophole could have severe implications for organizations relying on Apache Tomcat, compromising server integrity and leading to unauthorized access to sensitive information.
Potential impact of CVE-2025-55752
-
Unauthorized Access and Data Exposure: The vulnerability enables attackers to bypass security mechanisms that protect essential application directories, which can lead to unauthorized access to sensitive data, configuration files, and application resources.
-
Remote Code Execution: With the ability to upload malicious files through permitted PUT requests, attackers may execute arbitrary code on the server. This potential for remote code execution can result in complete control over the vulnerable system, allowing for data theft, service disruption, or further exploitation of the network.
-
Increased Risk of Malware Deployment: Organizations could face heightened risks from malware infections, particularly if ransomware or other malicious software are deployed after exploiting this vulnerability. The ability to manipulate file uploads creates an opportunity for threat actors to introduce damaging payloads that could lead to significant operational and financial impacts.
Affected Version(s)
Apache Tomcat 11.0.0-M1 <= 11.0.10
Apache Tomcat 10.1.0-M1 <= 10.1.44
Apache Tomcat 9.0.0.M11 <= 9.0.108
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
The Cyber ExpressCVE-2025-55752Apache Tomcat CVE-2025-55752, 55754 Security Flaws
Apache warns of CVE-2025-55752 and CVE-2025-55754 in Tomcat 9–11, risking remote code execution and console attacks. Urgent updates are strongly advised.
1 day ago
Red Hot CyberApache Tomcat Vulnerability: Update Now to Avoid Security Risks
Critical vulnerabilities discovered in Apache Tomcat. Urgent updates to prevent cyberattacks and protect web applications.
2 days ago
CyberSecurityNewsApache Tomcat Security Vulnerabilities Expose Servers to Remote Code Execution Attacks
The Apache Software Foundation has highlighted critical flaws in Apache Tomcat, a widely used open-source Java servlet container that powers numerous web applications.
2 days ago
References
CVSS V3.1
Timeline
- 🟡
Public PoC available
- 📈
Vulnerability started trending
- 👾
Exploit known to exist
- 📰
First article discovered by CyberSecurityNews
Vulnerability published
Vulnerability Reserved