Search for vulnerabilities
Vulnerability details: VCID-6qpu-a1ru-qqdw
Vulnerability ID VCID-6qpu-a1ru-qqdw
Aliases CVE-2025-49125
GHSA-wc4r-xq3c-5cf3
Summary Apache Tomcat - Security constraint bypass for pre/post-resources Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat.  When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-288 Authentication Bypass Using an Alternate Path or Channel
System Score Found at
cvssv3 3.7 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-49125.json
epss 0.00024 https://api.first.org/data/v1/epss?cve=CVE-2025-49125
apache_tomcat Moderate https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49125
cvssv3.1 7.4 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-wc4r-xq3c-5cf3
generic_textual MODERATE https://github.com/apache/tomcat
generic_textual MODERATE https://github.com/apache/tomcat/commit/7617b9c247bc77ed0444dd69adcd8aa48777886c
generic_textual MODERATE https://github.com/apache/tomcat/commit/9418e3ff9f1f4c006b4661311ae9376c52d162b9
generic_textual MODERATE https://github.com/apache/tomcat/commit/d94bd36fb7eb32e790dae0339bc249069649a637
cvssv3.1 7.5 https://lists.apache.org/thread/m66cytbfrty9k7dc4cg6tl1czhsnbywk
generic_textual MODERATE https://lists.apache.org/thread/m66cytbfrty9k7dc4cg6tl1czhsnbywk
ssvc Track https://lists.apache.org/thread/m66cytbfrty9k7dc4cg6tl1czhsnbywk
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2025-49125
archlinux High https://security.archlinux.org/AVG-2888
archlinux High https://security.archlinux.org/AVG-2889
generic_textual MODERATE https://tomcat.apache.org/security-10.html
generic_textual MODERATE https://tomcat.apache.org/security-11.html
generic_textual MODERATE https://tomcat.apache.org/security-9.html
generic_textual MODERATE http://www.openwall.com/lists/oss-security/2025/06/16/2
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-49125.json
https://api.first.org/data/v1/epss?cve=CVE-2025-49125
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/apache/tomcat
https://github.com/apache/tomcat/commit/7617b9c247bc77ed0444dd69adcd8aa48777886c
https://github.com/apache/tomcat/commit/9418e3ff9f1f4c006b4661311ae9376c52d162b9
https://github.com/apache/tomcat/commit/d94bd36fb7eb32e790dae0339bc249069649a637
https://lists.apache.org/thread/m66cytbfrty9k7dc4cg6tl1czhsnbywk
https://nvd.nist.gov/vuln/detail/CVE-2025-49125
https://tomcat.apache.org/security-10.html
https://tomcat.apache.org/security-11.html
https://tomcat.apache.org/security-9.html
http://www.openwall.com/lists/oss-security/2025/06/16/2
1108114 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108114
2373018 https://bugzilla.redhat.com/show_bug.cgi?id=2373018
AVG-2888 https://security.archlinux.org/AVG-2888
AVG-2889 https://security.archlinux.org/AVG-2889
CVE-2025-49125 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49125
GHSA-wc4r-xq3c-5cf3 https://github.com/advisories/GHSA-wc4r-xq3c-5cf3
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-49125.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://lists.apache.org/thread/m66cytbfrty9k7dc4cg6tl1czhsnbywk
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-17T14:06:30Z/ Found at https://lists.apache.org/thread/m66cytbfrty9k7dc4cg6tl1czhsnbywk
Exploit Prediction Scoring System (EPSS)
Percentile 0.04951
EPSS Score 0.00024
Published At June 25, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-06-16T20:36:55.463966+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-wc4r-xq3c-5cf3/GHSA-wc4r-xq3c-5cf3.json 36.1.0