VulnerableCode Package Details - pkg:rpm/redhat/tomcat@1:9.0.87-1.el8

Search for packages

Vulnerability	Summary	Fixed by
VCID-kukv-k3z7-7fgs Aliases: CVE-2025-31651 GHSA-ff77-26x5-69cr	Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced security constraints, those constraints could be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.	There are no reported fixed by versions.
VCID-xqjr-7xfw-mbh2 Aliases: CVE-2025-55752 GHSA-wmwf-9ccg-fff5	Relative Path Traversal vulnerability in Apache Tomcat. The fix for bug 60013 introduced a regression where the rewritten URL was normalized before it was decoded. This introduced the possibility that, for rewrite rules that rewrite query parameters to the URL, an attacker could manipulate the request URI to bypass security constraints including the protection for /WEB-INF/ and /META-INF/. If PUT requests were also enabled then malicious files could be uploaded leading to remote code execution. PUT requests are normally limited to trusted users and it is considered unlikely that PUT requests would be enabled in conjunction with a rewrite that manipulated the URI. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.0.M11 through 9.0.108. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.6 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-kukv-k3z7-7fgs
Aliases:
CVE-2025-31651
GHSA-ff77-26x5-69cr

Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced security constraints, those constraints could be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.

There are no reported fixed by versions.

VCID-xqjr-7xfw-mbh2
Aliases:
CVE-2025-55752
GHSA-wmwf-9ccg-fff5

Relative Path Traversal vulnerability in Apache Tomcat. The fix for bug 60013 introduced a regression where the rewritten URL was normalized before it was decoded. This introduced the possibility that, for rewrite rules that rewrite query parameters to the URL, an attacker could manipulate the request URI to bypass security constraints including the protection for /WEB-INF/ and /META-INF/. If PUT requests were also enabled then malicious files could be uploaded leading to remote code execution. PUT requests are normally limited to trusted users and it is considered unlikely that PUT requests would be enabled in conjunction with a rewrite that manipulated the URI. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.0.M11 through 9.0.108. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.6 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue.

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T13:40:40.134737+00:00	RedHat Importer	Affected by	VCID-kukv-k3z7-7fgs	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-31651.json	38.0.0
2026-04-01T13:35:41.479175+00:00	RedHat Importer	Affected by	VCID-xqjr-7xfw-mbh2	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-55752.json	38.0.0

2026-04-01T13:40:40.134737+00:00

RedHat Importer

Affected by

VCID-kukv-k3z7-7fgs

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-31651.json

38.0.0

2026-04-01T13:35:41.479175+00:00

RedHat Importer

Affected by

VCID-xqjr-7xfw-mbh2

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-55752.json

38.0.0

Next non-vulnerable version	None.
Latest non-vulnerable version	None.
Risk	4.4