CVE-2025-31651
📋 TL;DR
This vulnerability in Apache Tomcat allows attackers to bypass security constraints by crafting requests that evade specific rewrite rules. It affects Tomcat versions 9.0.0.M1 through 9.0.102, 10.1.0-M1 through 10.1.39, and 11.0.0-M1 through 11.0.5, plus some EOL versions. Organizations using affected versions with rewrite rules for security enforcement are at risk.
💻 Affected Systems
- Apache Tomcat
📦 What is this software?
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
⚠️ Risk & Real-World Impact
Worst Case
Complete bypass of authentication, authorization, or access control mechanisms leading to unauthorized data access or system compromise.
Likely Case
Partial bypass of security controls depending on specific rewrite rule configurations, potentially exposing restricted resources.
If Mitigated
Limited impact if rewrite rules aren't used for critical security enforcement or if additional layers of security exist.
🎯 Exploit Status
Exploitation requires knowledge of specific rewrite rule configurations and crafting specialized requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.0.6, 10.1.40, 9.0.103
Vendor Advisory: https://lists.apache.org/list.html?announce@tomcat.apache.org
Restart Required: Yes
Instructions:
1. Download patched version from Apache Tomcat website. 2. Backup current installation. 3. Stop Tomcat service. 4. Replace Tomcat files with patched version. 5. Restart Tomcat service. 6. Verify version update.
🔧 Temporary Workarounds
Remove or modify rewrite rules
allReview and remove rewrite rules that enforce security constraints, or replace them with alternative security mechanisms.
Edit server.xml or rewrite configuration files to remove/modify vulnerable rules
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block suspicious rewrite bypass attempts
- Add additional authentication/authorization layers independent of rewrite rules
🔍 How to Verify
Check if Vulnerable:
Check Tomcat version and review rewrite rule configurations in server.xml and rewrite configuration filesCheck Version:
java -cp "$CATALINA_HOME/lib/catalina.jar" org.apache.catalina.util.ServerInfoVerify Fix Applied:
Verify Tomcat version is 11.0.6+, 10.1.40+, or 9.0.103+ and test rewrite rule functionality📡 Detection & Monitoring
Log Indicators:
- Unusual request patterns that bypass expected URL paths
- Access to restricted resources without proper authentication logs
Network Indicators:
- HTTP requests with crafted sequences targeting rewrite rule patterns
SIEM Query:
source="tomcat_access.log" AND (url="*%*" OR url="*\*" OR url="*?*") AND response="200"