GHSA-wc4r-xq3c-5cf3 · Severity: medium · Ecosystem: maven — Apache Tomcat - Security constraint bypass for pre/post-resources
Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
Conclusion & alert: CVE-2025-49125 is rated Moderate Risk (63.2/100): CVSS High severity, with medium exploitation likelihood (EPSS 3.16%). Core evidence: EPSS rose +2.97% over the last day, indicating growing attacker interest. Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.19% | 3.16% | +2.97% |
| 2 | 2026-05-22 | 0.35% | 0.19% | -0.16% |
| 3 | 2026-04-12 | — | 0.35% | — |
Full EPSS history (13 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.5 | 3.1 | HIGH |
|
3.9 | 3.6 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
GHSA-wc4r-xq3c-5cf3 · Severity: medium · Ecosystem: maven — Apache Tomcat - Security constraint bypass for pre/post-resources
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2025-49125 not yet assigned priority: Debian including 3 source packages (tomcat10, tomcat11, tomcat9), 12 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 12. | https://security-tracker.debian.org/tracker/CVE-2025-49125 |
redhat
|
low | — | https://access.redhat.com/security/cve/CVE-2025-49125 |
suse
|
high | — | https://www.suse.com/security/cve/CVE-2025-49125/ |
ubuntu
|
medium | CVE-2025-49125 medium priority: Ubuntu including 6 source packages (tomcat10, tomcat11, tomcat6, tomcat7, tomcat8, tomcat9), 44 status rows across 10 suites (bionic, focal, jammy, noble, oracular, plucky, questing, trusty, upstream, xenial): DNE 19, ignored 12, needed 6, not-affected 4, released 3. | https://ubuntu.com/security/CVE-2025-49125 |
| URL | Tags |
|---|---|
| https://lists.apache.org/thread/m66cytbfrty9k7dc4cg6tl1czhsnbywk | Mailing List Vendor Advisory |
| http://www.openwall.com/lists/oss-security/2025/06/16/2 | Mailing List Third Party Advisory |
| https://lists.debian.org/debian-lts-announce/2025/07/msg00009.html |