CVE-2025-55752
📋 TL;DR
A path traversal vulnerability in Apache Tomcat allows attackers to bypass security constraints protecting sensitive directories like /WEB-INF/ and /META-INF/. This affects Tomcat versions 9.0.0.M11 through 9.0.108, 10.1.0-M1 through 10.1.44, and 11.0.0-M1 through 11.0.10. If PUT requests are enabled, this could lead to remote code execution.
💻 Affected Systems
- Apache Tomcat
📦 What is this software?
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution via malicious file upload if PUT requests are enabled and rewrite rules manipulate query parameters
Likely Case
Bypass of security constraints allowing access to protected directories and sensitive files
If Mitigated
Limited impact if PUT requests are disabled and proper access controls are in place
🎯 Exploit Status
Exploitation requires specific rewrite rule configuration. PUT requests are normally limited to trusted users and unlikely to be enabled with vulnerable rewrite rules.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.0.11+, 10.1.45+, or 9.0.109+
Vendor Advisory: https://lists.apache.org/thread/n05kjcwyj1s45ovs8ll1qrrojhfb1tog
Restart Required: Yes
Instructions:
1. Download patched version from Apache Tomcat website. 2. Stop Tomcat service. 3. Backup current installation. 4. Replace with patched version. 5. Restart Tomcat service.
🔧 Temporary Workarounds
Disable PUT requests
allPrevents file upload exploitation by disabling HTTP PUT method
Edit web.xml to remove PUT method from allowed methods or configure security constraints
Remove vulnerable rewrite rules
allRemove or modify rewrite rules that rewrite query parameters to the URL
Review and modify rewrite rules in conf/server.xml or rewrite.config files
🧯 If You Can't Patch
- Disable PUT requests in Tomcat configuration
- Implement WAF rules to block path traversal attempts and PUT requests to sensitive paths
🔍 How to Verify
Check if Vulnerable:
Check Tomcat version and verify if running affected version with rewrite rules that manipulate query parametersCheck Version:
Check catalina.out logs or run: java -cp lib/catalina.jar org.apache.catalina.util.ServerInfoVerify Fix Applied:
Verify Tomcat version is 11.0.11+, 10.1.45+, or 9.0.109+📡 Detection & Monitoring
Log Indicators:
- Unusual PUT requests to sensitive paths
- Access attempts to /WEB-INF/ or /META-INF/ directories
- URLs with encoded path traversal sequences
Network Indicators:
- HTTP requests with encoded characters in URLs targeting sensitive paths
- PUT requests to Tomcat servers
SIEM Query:
source="tomcat_access.log" AND (uri="*%2e%2e%2f*" OR uri="*%252e%252e%252f*" OR method="PUT" AND uri="*/WEB-INF/*" OR uri="*/META-INF/*")🔗 References
- https://lists.apache.org/thread/n05kjcwyj1s45ovs8ll1qrrojhfb1tog
- http://www.openwall.com/lists/oss-security/2025/10/27/4
- https://www.vicarius.io/vsociety/posts/cve-2025-55752-detect-apache-tomcat-vulnerability
- https://www.vicarius.io/vsociety/posts/cve-2025-55752-mitigate-apache-tomcat-vulnerability
