CVE-2025-55752 is a relative path traversal vulnerability in Apache Tomcat that arises due to a regression introduced by a prior bug fix (bug 60013). The regression caused the rewritten URL to be normalized before decoding, which is a flawed sequence that allows attackers to craft request URIs that bypass security constraints designed to protect critical directories such as /WEB-INF/ and /META-INF/. These directories typically contain configuration files and sensitive application data that should not be accessible externally. The vulnerability is particularly dangerous when combined with enabled HTTP PUT requests, which allow file uploads. In such cases, an attacker could upload malicious files to the server, potentially leading to remote code execution. However, PUT requests are generally disabled or restricted to trusted users, reducing the likelihood of exploitation in many environments. The affected Apache Tomcat versions span multiple major releases: 8.5.6 through 8.5.100 (EOL but known affected), 9.0.0.M11 through 9.0.108, 10.1.0-M1 through 10.1.44, and 11.0.0-M1 through 11.0.10. The Apache Software Foundation has released patches in versions 11.0.11, 10.1.45, and 9.0.109 to address this issue. The vulnerability is classified under CWE-23 (Relative Path Traversal) and has a CVSS v3.1 base score of 7.5, indicating high severity. Exploitation requires network access, low privileges, no user interaction, and has a high impact on confidentiality, integrity, and availability. No known exploits have been reported in the wild at the time of disclosure.

This vulnerability poses a significant risk to organizations running vulnerable versions of Apache Tomcat, a widely used Java servlet container in enterprise web applications. Successful exploitation can lead to unauthorized access to sensitive directories (/WEB-INF/, /META-INF/), exposing configuration files, credentials, or application logic. If HTTP PUT is enabled, attackers can upload malicious files, potentially achieving remote code execution, which could lead to full system compromise. The breach of confidentiality, integrity, and availability can result in data theft, service disruption, and lateral movement within networks. Given Tomcat’s prevalence in government, financial, healthcare, and commercial sectors worldwide, the impact could be widespread. Organizations with strict security policies disabling PUT requests and carefully managing rewrite rules may have reduced risk, but many environments may not have these controls fully enforced. The vulnerability’s exploitation complexity is moderate due to the need to manipulate rewrite rules and possibly enable PUT, but the potential damage is severe.

1. Upgrade Apache Tomcat to the fixed versions: 11.0.11 or later, 10.1.45 or later, or 9.0.109 or later immediately. 2. Review and audit all URL rewrite rules to ensure they do not inadvertently expose sensitive paths or allow query parameters to be rewritten into the URL in a way that bypasses security constraints. 3. Disable HTTP PUT requests unless explicitly required and restrict PUT access to trusted users or IP addresses using Tomcat’s security constraints or network-level controls. 4. Implement strict access controls on sensitive directories (/WEB-INF/, /META-INF/) at the web server and application levels. 5. Monitor logs for unusual requests targeting rewrite rules or attempts to access protected directories. 6. Employ web application firewalls (WAFs) with rules to detect and block path traversal attempts and suspicious PUT requests. 7. Conduct penetration testing focusing on path traversal and file upload vectors post-patching to validate the environment’s security posture. 8. Educate developers and administrators on secure URL rewriting practices and the risks of enabling PUT requests.