CVE-2025-49125
📋 TL;DR
This CVE describes an authentication bypass vulnerability in Apache Tomcat where PreResources or PostResources mounted at non-root paths can be accessed via unexpected alternative paths. These alternative paths may not be protected by the same security constraints, allowing attackers to bypass authentication and access restricted resources. Affected users include those running Apache Tomcat versions 11.0.0-M1 through 11.0.7, 10.1.0-M1 through 10.1.41, 9.0.0.M1 through 9.0.105, and EOL versions 8.5.0 through 8.5.100.
💻 Affected Systems
- Apache Tomcat
📦 What is this software?
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
⚠️ Risk & Real-World Impact
Worst Case
Complete authentication bypass leading to unauthorized access to sensitive resources, potential data exfiltration, or privilege escalation.
Likely Case
Unauthorized access to protected resources that should require authentication, potentially exposing sensitive application data or functionality.
If Mitigated
Limited impact if proper network segmentation, additional authentication layers, or resource-level protections are in place.
🎯 Exploit Status
Exploitation requires knowledge of alternative paths to access resources. No public exploit code identified at time of analysis.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.0.8, 10.1.42, or 9.0.106
Vendor Advisory: https://lists.apache.org/thread/m66cytbfrty9k7dc4cg6tl1czhsnbywk
Restart Required: Yes
Instructions:
1. Download patched version from Apache Tomcat website. 2. Backup current Tomcat installation. 3. Stop Tomcat service. 4. Replace Tomcat installation with patched version. 5. Restart Tomcat service. 6. Verify version update.
🔧 Temporary Workarounds
Remove or relocate PreResources/PostResources
allRemove PreResources or PostResources mounted at non-root paths, or relocate them to root paths where security constraints apply properly.
Edit server.xml or context.xml to remove or modify PreResources/PostResources configuration
Apply additional security constraints
allManually add security constraints for all possible paths to protected resources in web.xml.
Edit web.xml to add <security-constraint> elements for all resource paths
🧯 If You Can't Patch
- Implement network-level access controls to restrict access to Tomcat instances
- Deploy web application firewall (WAF) rules to detect and block path traversal attempts
🔍 How to Verify
Check if Vulnerable:
Check Tomcat version and verify if PreResources or PostResources are configured at non-root paths in server.xml or context.xml.Check Version:
java -cp "$CATALINA_HOME/lib/catalina.jar" org.apache.catalina.util.ServerInfoVerify Fix Applied:
Verify Tomcat version is 11.0.8+, 10.1.42+, or 9.0.106+ using version check command.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to resources via non-standard paths
- Failed authentication attempts followed by successful resource access
Network Indicators:
- HTTP requests attempting to access resources via unexpected URL paths
- Patterns of path traversal attempts
SIEM Query:
source="tomcat_access.log" AND (url_path CONTAINS "/WEB-INF" OR url_path CONTAINS "/META-INF") AND response_code=200