vulnerability
Oracle Linux: CVE-2025-31651: ELSA-2025-23048: tomcat security update (IMPORTANT) (Multiple Advisories)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:N/AC:L/Au:N/C:N/I:P/A:N) | Apr 28, 2025 | Dec 12, 2025 | Dec 12, 2025 |
Severity
5
CVSS
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
Published
Apr 28, 2025
Added
Dec 12, 2025
Modified
Dec 12, 2025
Description
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible
for a specially crafted request to bypass some rewrite rules. If those
rewrite rules effectively enforced security constraints, those
constraints could be bypassed.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102.
Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.
A flaw was found in Apache Tomcat's rewrite rule processing component. This vulnerability allows security constraints to be bypassed via specially crafted HTTP requests when specific, uncommon rewrite rule configurations are in use.
for a specially crafted request to bypass some rewrite rules. If those
rewrite rules effectively enforced security constraints, those
constraints could be bypassed.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102.
Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.
A flaw was found in Apache Tomcat's rewrite rule processing component. This vulnerability allows security constraints to be bypassed via specially crafted HTTP requests when specific, uncommon rewrite rule configurations are in use.
Solutions
oracle-linux-upgrade-tomcatoracle-linux-upgrade-tomcat9oracle-linux-upgrade-tomcat9-admin-webappsoracle-linux-upgrade-tomcat9-docs-webapporacle-linux-upgrade-tomcat9-el-3-0-apioracle-linux-upgrade-tomcat9-jsp-2-3-apioracle-linux-upgrade-tomcat9-liboracle-linux-upgrade-tomcat9-servlet-4-0-apioracle-linux-upgrade-tomcat9-webappsoracle-linux-upgrade-tomcat-admin-webappsoracle-linux-upgrade-tomcat-docs-webapporacle-linux-upgrade-tomcat-el-3-0-apioracle-linux-upgrade-tomcat-el-5-0-apioracle-linux-upgrade-tomcat-jsp-2-3-apioracle-linux-upgrade-tomcat-jsp-3-1-apioracle-linux-upgrade-tomcat-liboracle-linux-upgrade-tomcat-servlet-4-0-apioracle-linux-upgrade-tomcat-servlet-6-0-apioracle-linux-upgrade-tomcat-webapps
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.