CVE-2025-49125

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-49125
Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat.  When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
CVSS

No CVSS.

References
Link Resource
http://www.openwall.com/lists/oss-security/2025/06/16/2 Mailing List Third Party Advisory
https://lists.apache.org/thread/m66cytbfrty9k7dc4cg6tl1czhsnbywk Mailing List Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
History

08 Aug 2025, 12:15

Type Values Removed Values Added
Summary Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat.  When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat.  When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

07 Aug 2025, 12:15

Type Values Removed Values Added
Summary Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat.  When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat.  When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

02 Jul 2025, 18:28

Type Values Removed Values Added
CPE cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
References () http://www.openwall.com/lists/oss-security/2025/06/16/2 - () http://www.openwall.com/lists/oss-security/2025/06/16/2 - Mailing List, Third Party Advisory
References () https://lists.apache.org/thread/m66cytbfrty9k7dc4cg6tl1czhsnbywk - () https://lists.apache.org/thread/m66cytbfrty9k7dc4cg6tl1czhsnbywk - Mailing List, Vendor Advisory
First Time Apache tomcat
Apache

16 Jun 2025, 20:15

Type Values Removed Values Added
References
  • () http://www.openwall.com/lists/oss-security/2025/06/16/2 -
CWE CWE-288

16 Jun 2025, 15:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-06-16 15:15

Updated : 2025-08-08 12:15

NVD link : CVE-2025-49125

Mitre link : CVE-2025-49125

JSON object : View

Products Affected

apache

  • tomcat
CWE

No CWE.