Hi all,
A few new CVEs were announced, including two with a severity level of
"Important" (these latter two are not relevant to the TDS, but could be
problematic if you are also hosting applications that permit file uploads).
Please upgrade to the latest version of Tomcat.
---------- Forwarded message ---------
From: Mark Thomas <markt@xxxxxxxxxx>
Date: Mon, Jun 16, 2025 at 8:19 AM
Subject: [SECURITY] CVE-2025-49125 Apache Tomcat - Security constraint
bypass for pre/post-resources
To: Tomcat Users List <users@xxxxxxxxxxxxxxxxx>
Cc: <announce@xxxxxxxxxx>, announce@xxxxxxxxxxxxxxxxx <
announce@xxxxxxxxxxxxxxxxx>, Tomcat Developers List <dev@xxxxxxxxxxxxxxxxx>
CVE-2025-49125 Apache Tomcat - Security constraint bypass for
pre/post-resources
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.7
Apache Tomcat 10.1.0-M1 to 10.1.41
Apache Tomcat 9.0.0.M1 to 9.0.105
Description:
When using PreResources or PostResources mounted other than at the root
of the web application, it was possible to access those resources via an
unexpected path. That path was likely not to be protected by the same
security constraints as the expected path, allowing those security
constraints to be bypassed.
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 11.0.8 or later
- Upgrade to Apache Tomcat 10.1.42 or later
- Upgrade to Apache Tomcat 9.0.106 or later
Credit:
Greg K (https://github.com/gregk4sec)
History:
2025-06-16 Original advisory
References:
[1] https://tomcat.apache.org/security-11.html
[2] https://tomcat.apache.org/security-10.html
[3] https://tomcat.apache.org/security-9.html
--
------------------------------------------------------------------------------------
Jennifer Oxelson Ganter NSF Unidata
Software Engineer IV P.O. Box 3000
oxelson@xxxxxxxx Boulder, CO 80307
------------------------------------------------------------------------------------
