CVE-2025-46701
📋 TL;DR
This vulnerability in Apache Tomcat's CGI servlet allows attackers to bypass security constraints by exploiting improper case sensitivity handling in URI pathInfo components. It affects Tomcat versions 11.0.0-M1 through 11.0.6, 10.1.0-M1 through 10.1.40, 9.0.0.M1 through 9.0.104, and potentially older EOL versions. Organizations using affected Tomcat instances with CGI servlet enabled are at risk.
💻 Affected Systems
- Apache Tomcat
📦 What is this software?
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
⚠️ Risk & Real-World Impact
Worst Case
Attackers could bypass authentication and authorization controls to access restricted resources, execute unauthorized CGI scripts, or gain access to sensitive files and directories.
Likely Case
Unauthorized access to protected resources mapped to the CGI servlet, potentially exposing sensitive information or allowing execution of restricted scripts.
If Mitigated
Limited impact if CGI servlet is disabled or if additional security layers (WAF, network segmentation) are in place.
🎯 Exploit Status
Exploitation requires CGI servlet to be enabled and configured with security constraints on pathInfo.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.0.7, 10.1.41, or 9.0.105
Vendor Advisory: https://lists.apache.org/thread/xhqqk9w5q45srcdqhogdk04lhdscv30j
Restart Required: Yes
Instructions:
1. Download patched Tomcat version from Apache website. 2. Stop Tomcat service. 3. Backup current installation. 4. Replace with patched version. 5. Restart Tomcat service.
🔧 Temporary Workarounds
Disable CGI Servlet
allRemove or comment out CGI servlet configuration in web.xml to disable vulnerable component
Edit $CATALINA_HOME/conf/web.xml and comment out or remove the <servlet> and <servlet-mapping> sections for the CGI servlet
🧯 If You Can't Patch
- Disable CGI servlet if not required for business functionality
- Implement web application firewall (WAF) rules to block suspicious URI patterns
🔍 How to Verify
Check if Vulnerable:
Check Tomcat version and verify CGI servlet is enabled in web.xml configurationCheck Version:
java -cp $CATALINA_HOME/lib/catalina.jar org.apache.catalina.util.ServerInfoVerify Fix Applied:
Verify Tomcat version is 11.0.7+, 10.1.41+, or 9.0.105+ and test security constraint enforcement📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to CGI resources
- Failed authentication attempts followed by successful access via case-variant URIs
Network Indicators:
- HTTP requests to CGI servlet with mixed-case path components
SIEM Query:
source="tomcat_access.log" AND uri="*cgi*" AND (uri="*[A-Z]*" OR uri="*[a-z]*")