CVE-2025-49125 is a high-severity authentication bypass vulnerability in Apache Tomcat, a widely used open-source Java Servlet Container. The flaw arises when PreResources or PostResources are mounted at locations other than the root of a web application. These resources can be accessed through an alternate, unexpected path that is not protected by the same security constraints as the intended path. This discrepancy allows an attacker to bypass authentication controls and access protected resources without proper authorization. The vulnerability affects multiple versions of Apache Tomcat, specifically from 11.0.0-M1 through 11.0.7, 10.1.0-M1 through 10.1.41, and 9.0.0.M1 through 9.0.105. Additionally, end-of-life versions 8.5.0 through 8.5.100 are also known to be affected, with older EOL versions potentially vulnerable as well. The issue is classified under CWE-288, which pertains to authentication bypass using alternate paths or channels. The vulnerability has a CVSS v3.1 base score of 7.5, indicating high severity, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), and no impact on integrity or availability (I:N/A:N). No known exploits are currently reported in the wild. The root cause is improper enforcement of security constraints on alternate resource paths, which can be exploited remotely without authentication or user interaction. The Apache Software Foundation has addressed the issue in versions 11.0.8, 10.1.42, and 9.0.106, and users are strongly advised to upgrade to these versions or later to mitigate the risk.

For European organizations, this vulnerability poses a significant risk due to the widespread use of Apache Tomcat in enterprise web applications, government portals, and critical infrastructure services. An attacker exploiting this flaw can gain unauthorized access to sensitive resources, potentially exposing confidential data protected by authentication mechanisms. This can lead to data breaches, violation of data protection regulations such as GDPR, and loss of customer trust. Since the vulnerability does not impact integrity or availability directly, the primary concern is confidentiality compromise. However, unauthorized access could be leveraged as a foothold for further attacks, including lateral movement or privilege escalation within the network. The ease of exploitation—requiring no authentication or user interaction—makes this vulnerability particularly dangerous, increasing the likelihood of automated scanning and exploitation attempts. Organizations handling sensitive personal data, financial information, or critical services are at heightened risk. Additionally, the presence of vulnerable EOL versions in some environments exacerbates the threat, as these systems may lack timely patching and monitoring.

European organizations should immediately inventory their Apache Tomcat deployments to identify affected versions, including EOL releases. The primary mitigation is to upgrade to the fixed versions: 11.0.8, 10.1.42, or 9.0.106, or later. For environments where immediate upgrade is not feasible, organizations should implement strict network segmentation to limit external access to Tomcat servers, employ Web Application Firewalls (WAFs) with custom rules to detect and block requests attempting to access alternate resource paths, and conduct thorough access control reviews to ensure security constraints are properly configured. Monitoring and logging should be enhanced to detect unusual access patterns indicative of exploitation attempts. Additionally, organizations should review their use of PreResources and PostResources in Tomcat configurations to avoid mounting these resources outside the root context or to apply explicit security constraints on all resource paths. Regular vulnerability scanning and penetration testing focused on authentication bypass scenarios are recommended to validate the effectiveness of mitigations. Finally, organizations should maintain an incident response plan tailored to web application breaches to respond swiftly if exploitation is detected.