Apache Tomcat Vulnerable to Relative Path Traversal

Description

The fix for bug 60013 introduced a regression where the rewritten URL was normalized before it was decoded. This introduced the possibility that, for rewrite rules that rewrite query parameters to the URL, an attacker could manipulate the request URI to bypass security constraints including the protection for /WEB-INF/ and /META-INF/. If PUT requests were also enabled then malicious files could be uploaded leading to remote code execution. PUT requests are normally limited to trusted users and it is considered unlikely that PUT requests would be enabled in conjunction with a rewrite that manipulated the URI.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.0.M11 through 9.0.108.

The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.6 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue.

Basic information

Type
reviewed
Severity
high
Advisory on GitHub
Open advisory ↗
Repository advisory
Source code
Browse source ↗
Published (advisory)
2025-10-27 18:31:13 UTC
Updated
2026-05-13 16:23:38 UTC
GitHub reviewed
2025-10-28 17:55:41 UTC
NVD published
2025-10-27

EPSS Score

Score Percentile
0.14% 34.18%

CVSS Scores

Base score Version Severity Vector
7.5 3.1
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
7.7 4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network.
Attack complexity (AC:L)
Exploitation conditions are straightforward and stable.
Attack requirements (AT:P)
Additional preconditions must be present for exploitation.
Privileges required (PR:L)
Low privileges are required.
User interaction (UI:N)
No user interaction is required.
Vulnerable system confidentiality impact (VC:H)
High confidentiality impact on the vulnerable system.
Vulnerable system integrity impact (VI:H)
High integrity impact on the vulnerable system.
Vulnerable system availability impact (VA:H)
High availability impact on the vulnerable system.
Subsequent system confidentiality impact (SC:N)
No confidentiality impact on subsequent systems.
Subsequent system integrity impact (SI:N)
No integrity impact on subsequent systems.
Subsequent system availability impact (SA:N)
No availability impact on subsequent systems.

Identifiers

CWEs

CWE id Name
CWE-23 Relative Path Traversal

Credits

  • aruneko (analyst)
  • tkwilli94 (analyst)

Affected packages (12)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
maven org.apache.tomcat:tomcat >= 11.0.0-M1, < 11.0.11 11.0.11
maven org.apache.tomcat:tomcat >= 10.1.0-M1, < 10.1.45 10.1.45
maven org.apache.tomcat:tomcat-catalina >= 11.0.0-M1, < 11.0.11 11.0.11
maven org.apache.tomcat:tomcat-catalina >= 10.1.0-M1, < 10.1.45 10.1.45
maven org.apache.tomcat.embed:tomcat-embed-core >= 11.0.0-M1, < 11.0.11 11.0.11
maven org.apache.tomcat.embed:tomcat-embed-core >= 10.1.0-M1, < 10.1.45 10.1.45
maven org.apache.tomcat:tomcat >= 9.0.0-M11, < 9.0.109 9.0.109
maven org.apache.tomcat:tomcat-catalina >= 9.0.0-M11, < 9.0.109 9.0.109
maven org.apache.tomcat.embed:tomcat-embed-core >= 9.0.0-M11, < 9.0.109 9.0.109
maven org.apache.tomcat:tomcat >= 8.5.6, <= 8.5.100
maven org.apache.tomcat:tomcat-catalina >= 8.5.6, <= 8.5.100
maven org.apache.tomcat.embed:tomcat-embed-core >= 8.5.6, <= 8.5.100

References

cvelogic Threat Intelligence