CVE-2025-66614 is an improper input validation vulnerability (CWE-20) in Apache Tomcat, a widely used Java-based web server and servlet container. The issue affects multiple versions spanning from 8.5.0 through 11.0.14, including some end-of-life versions still in use. The root cause is that Tomcat fails to validate that the hostname provided in the TLS Server Name Indication (SNI) extension matches the hostname specified in the HTTP Host header. This discrepancy becomes critical in configurations where Tomcat hosts multiple virtual hosts with differing client certificate authentication requirements—some requiring client certificates and others not. If client certificate authentication is enforced only at the Connector level (the TLS termination point), an attacker can exploit this by sending a TLS connection with an SNI hostname pointing to a host that does not require client certificates, while simultaneously sending an HTTP Host header for a host that does require client certificates. Tomcat incorrectly accepts the connection without client certificate authentication, effectively bypassing the security control. This vulnerability does not apply if client certificate authentication is enforced at the web application level, which performs validation after TLS termination. The CVSS 3.1 base score is 7.6, indicating high severity due to network attack vector, low attack complexity, requiring privileges but no user interaction, and resulting in high confidentiality impact with limited integrity and availability impact. No known exploits are reported in the wild at the time of publication. The recommended mitigation is upgrading to fixed versions 11.0.15 or later, 10.1.50 or later, or 9.0.113 or later. This vulnerability highlights the importance of consistent hostname validation across TLS and HTTP layers in multi-host environments.

The vulnerability allows an attacker to bypass client certificate authentication in Apache Tomcat when configured with multiple virtual hosts that have differing client certificate requirements. This can lead to unauthorized access to resources that should be protected by client certificate authentication, compromising confidentiality. The attacker can impersonate a trusted client by exploiting the mismatch between the SNI hostname and HTTP Host header, potentially accessing sensitive data or functionality restricted to authenticated clients. The integrity impact is limited as the attacker does not gain full control over the server but can access protected endpoints. Availability impact is low since the vulnerability does not enable denial of service. Organizations relying on client certificate authentication at the Connector level for security enforcement are at significant risk. This can affect web applications in sectors such as finance, healthcare, government, and enterprise environments where Tomcat is used to host sensitive services. The ease of exploitation is relatively low complexity but requires network access and knowledge of the target’s virtual host configuration. The scope is broad given Tomcat’s widespread use globally, especially in enterprise Java environments.

1. Upgrade affected Apache Tomcat instances to versions 11.0.15 or later, 10.1.50 or later, or 9.0.113 or later, which contain the fix for this vulnerability. 2. If immediate upgrade is not feasible, enforce client certificate authentication at the web application level rather than solely at the Connector level to ensure validation occurs after TLS termination. 3. Review and audit TLS and virtual host configurations to ensure consistent hostname validation between SNI and HTTP Host headers. 4. Implement network-level controls to restrict access to Tomcat servers to trusted clients and networks. 5. Monitor logs for anomalies where SNI and HTTP Host headers differ, which may indicate exploitation attempts. 6. Educate developers and administrators on the risks of relying solely on Connector-level client certificate authentication in multi-host environments. 7. Consider deploying Web Application Firewalls (WAFs) capable of detecting and blocking mismatched SNI and Host header requests. 8. Regularly test and validate TLS configurations and client authentication mechanisms as part of security assessments.