CVE-2025-55752 is a security vulnerability classified under CWE-23 (Relative Path Traversal) found in Apache Tomcat web server software. The root cause is a regression introduced by a fix for a previous bug (60013), where the rewritten URL was normalized before decoding. This sequence allowed attackers to craft specially manipulated request URIs that could bypass security constraints designed to protect critical directories such as /WEB-INF/ and /META-INF/. These directories typically contain configuration files and sensitive application resources that should not be accessible externally. The vulnerability is particularly dangerous when combined with enabled HTTP PUT requests, which allow clients to upload files to the server. In such scenarios, an attacker could upload malicious files into protected directories, potentially leading to remote code execution on the server. However, PUT requests are generally disabled or restricted to trusted users, making exploitation less likely but still possible in misconfigured environments. The affected Apache Tomcat versions span from early milestone releases (e.g., 11.0.0-M1, 10.1.0-M1, 9.0.0.M11) through stable releases up to 11.0.10, 10.1.44, and 9.0.108, including some end-of-life versions like 8.5.6 through 8.5.100. The Apache Software Foundation has released patches in versions 11.0.11, 10.1.45, and 9.0.109 to address this issue. No public exploits have been reported yet, but the vulnerability's nature and potential impact warrant immediate attention. The vulnerability requires no authentication but does require the attacker to send crafted HTTP requests, and user interaction is not needed. The flaw affects confidentiality, integrity, and availability by exposing sensitive files and enabling possible remote code execution.

For European organizations, this vulnerability poses a significant risk, especially for those relying on Apache Tomcat for hosting web applications, including government portals, financial services, healthcare systems, and critical infrastructure. Exploitation could lead to unauthorized access to sensitive configuration files and application data, undermining confidentiality. If PUT requests are enabled, attackers could upload malicious payloads, leading to remote code execution, which threatens system integrity and availability. This could result in data breaches, service disruptions, and potential lateral movement within networks. Given the widespread use of Apache Tomcat in enterprise environments across Europe, the vulnerability could impact a broad range of sectors. Organizations with legacy or end-of-life Tomcat versions are particularly at risk due to lack of ongoing security support. The absence of known exploits currently provides a window for proactive mitigation, but the potential for rapid weaponization exists. Compliance with data protection regulations such as GDPR also raises the stakes, as breaches could lead to significant legal and financial penalties.

European organizations should immediately assess their Apache Tomcat deployments to identify affected versions. The primary mitigation is to upgrade to patched versions: 11.0.11 or later, 10.1.45 or later, or 9.0.109 or later. For environments where upgrading is not immediately feasible, organizations should disable HTTP PUT requests unless explicitly required and tightly control access to these methods. Review and harden rewrite rules to ensure they do not manipulate query parameters in ways that could be exploited. Implement strict access controls and monitoring on sensitive directories such as /WEB-INF/ and /META-INF/. Employ web application firewalls (WAFs) with rules designed to detect and block path traversal attempts. Conduct thorough security testing and code reviews to detect similar logic flaws. Additionally, monitor logs for suspicious request patterns indicative of exploitation attempts. Finally, maintain an incident response plan that includes steps for containment and remediation in case of compromise.