vulnerability

Red Hat: CVE-2025-31651: tomcat: Apache Tomcat: Bypass of rules in Rewrite Valve (Multiple Advisories)

Try Surface Command
Back to search
Severity
5
CVSS
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
Published
Apr 28, 2025
Added
Jul 9, 2025
Modified
Jan 28, 2026

Description

Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible
for a specially crafted request to bypass some rewrite rules. If those
rewrite rules effectively enforced security constraints, those
constraints could be bypassed.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions
may also be affected.

Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.

Solutions

no-fix-redhat-rpm-packageredhat-upgrade-tomcatredhat-upgrade-tomcat-admin-webappsredhat-upgrade-tomcat-docs-webappredhat-upgrade-tomcat-el-3-0-apiredhat-upgrade-tomcat-el-5-0-apiredhat-upgrade-tomcat-jsp-2-3-apiredhat-upgrade-tomcat-jsp-3-1-apiredhat-upgrade-tomcat-libredhat-upgrade-tomcat-servlet-4-0-apiredhat-upgrade-tomcat-servlet-6-0-apiredhat-upgrade-tomcat-webappsredhat-upgrade-tomcat9redhat-upgrade-tomcat9-admin-webappsredhat-upgrade-tomcat9-docs-webappredhat-upgrade-tomcat9-el-3-0-apiredhat-upgrade-tomcat9-jsp-2-3-apiredhat-upgrade-tomcat9-libredhat-upgrade-tomcat9-servlet-4-0-apiredhat-upgrade-tomcat9-webapps

References

Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today