Stay Connected:

CVE-2025-49125

CVE Details

Release Date:2025-06-16
Impact:Low What is this?

Description


Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.

See more information about CVE-2025-49125 from MITRE CVE dictionary and NIST NVD


NOTE: The following CVSS metrics and score provided are preliminary and subject to review.


CVSS v3 metrics

Base Score: 3.7
Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Version: 3.1
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Confidentiality Impact: Low
Integrity Impact: None
Availability Impact: None

Errata information


PlatformErrataRelease Date
Oracle Linux version 10 (tomcat) ELSA-2025-141792025-08-22
Oracle Linux version 10 (tomcat9) ELSA-2025-141782025-08-21
Oracle Linux version 8 (tomcat) ELSA-2025-141772025-08-20
Oracle Linux version 9 (tomcat) ELSA-2025-141812025-08-20


This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections:

software.hardware.complete
Subscribe | Careers | Contact Us | Legal Notices | Terms of Use | Your Privacy Rights