Improper Input Validation in Apache Tomcat Affects Multiple Versions
CVE-2025-66614

Currently unrated

Key Information:

Vendor

Apache
Status
Apache Tomcat
Vendor
CVE Published:
17 February 2026

What is CVE-2025-66614?

An improper input validation vulnerability exists in Apache Tomcat, which affects specific versions. This issue arises when the host name provided via the SNI extension differs from the host name in the HTTP host header field. In configurations with multiple virtual hosts, if certificate authentication is not consistently applied, it can be possible for clients to evade security measures by manipulating these fields. This primarily affects configurations where certificate authentication is enforced at the Connector level but not at the web application level. To mitigate risks, users should upgrade to versions 11.0.15, 10.1.50, or 9.0.113 and above.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Apache Tomcat 11.0.0-M1 <= 11.0.14

Apache Tomcat 10.1.0-M1 <= 10.1.49

Apache Tomcat 9.0.0-M1 <= 9.0.112

References

https://lists.apache.org/thread/vw6lxtlh2qbqwpb61wd3sv1fl...
vendor-advisory

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.