CVE-2025-55752 is a relative path traversal vulnerability classified under CWE-23, affecting multiple versions of Apache Tomcat, a widely used Java servlet container. The vulnerability stems from a regression introduced by the fix for bug 60013, where the rewritten URL was normalized before decoding. This sequence flaw allows attackers to craft malicious request URIs that bypass security constraints designed to protect critical directories such as /WEB-INF/ and /META-INF/. These directories typically contain configuration files and sensitive application data that should not be accessible externally. The vulnerability is particularly dangerous when combined with enabled HTTP PUT requests, which allow file uploads. In such cases, attackers can upload malicious files, potentially leading to remote code execution on the server. PUT requests are generally disabled or restricted to trusted users, making exploitation less likely but still possible in misconfigured environments. The affected versions span from 8.5.6 through 11.0.10, including some end-of-life versions. The vulnerability has a CVSS v3.1 base score of 7.5, indicating high severity, with attack vector as network, attack complexity high, privileges required low, no user interaction, and high impact on confidentiality, integrity, and availability. No known exploits are currently reported in the wild. The recommended mitigation is to upgrade to Apache Tomcat versions 11.0.11 or later, 10.1.45 or later, or 9.0.109 or later, which contain the fix for this issue.

For European organizations, this vulnerability poses a significant risk due to the widespread use of Apache Tomcat in enterprise web applications, government portals, and critical infrastructure services. Successful exploitation could lead to unauthorized access to sensitive configuration files and application data, compromising confidentiality. Moreover, if PUT requests are enabled, attackers could upload malicious payloads resulting in remote code execution, leading to full system compromise, data breaches, and service disruption. This could impact data privacy compliance under GDPR, cause operational downtime, and damage organizational reputation. Industries such as finance, healthcare, public administration, and telecommunications, which heavily rely on Tomcat-based applications, are particularly at risk. The high severity and network accessibility of the vulnerability make it a prime target for attackers seeking to exploit misconfigurations or outdated software. The absence of known exploits in the wild currently provides a window for proactive mitigation before widespread attacks occur.

1. Immediately upgrade Apache Tomcat to the fixed versions: 11.0.11 or later, 10.1.45 or later, or 9.0.109 or later. 2. Audit and restrict the use of HTTP PUT requests to trusted users only; disable PUT if not explicitly required. 3. Review and tighten URL rewrite rules to avoid rewriting query parameters into the URL in a way that could be manipulated. 4. Implement strict input validation and normalization on incoming requests to prevent path traversal attempts. 5. Employ web application firewalls (WAFs) with rules to detect and block path traversal patterns targeting /WEB-INF/ and /META-INF/. 6. Conduct regular security assessments and penetration testing focusing on URL rewriting and file upload functionalities. 7. Monitor logs for suspicious requests attempting to access protected directories or unusual PUT requests. 8. Ensure that sensitive directories like /WEB-INF/ and /META-INF/ have appropriate access controls at the filesystem and application levels. 9. Educate development and operations teams about secure configuration practices related to URL rewriting and HTTP methods. 10. Maintain an up-to-date inventory of Tomcat instances and versions deployed across the organization to prioritize patching efforts.