VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-usp8-axuv-v3fb

Essentials
Severities (46)
References (31)
Severity details (18)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-usp8-axuv-v3fb
Aliases	CVE-2025-49125 GHSA-wc4r-xq3c-5cf3
Summary	Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-288	Authentication Bypass Using an Alternate Path or Channel
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	3.7	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-49125.json
epss	0.00049	https://api.first.org/data/v1/epss?cve=CVE-2025-49125
epss	0.00049	https://api.first.org/data/v1/epss?cve=CVE-2025-49125
epss	0.00049	https://api.first.org/data/v1/epss?cve=CVE-2025-49125
epss	0.00049	https://api.first.org/data/v1/epss?cve=CVE-2025-49125
epss	0.00049	https://api.first.org/data/v1/epss?cve=CVE-2025-49125
epss	0.00049	https://api.first.org/data/v1/epss?cve=CVE-2025-49125
epss	0.00049	https://api.first.org/data/v1/epss?cve=CVE-2025-49125
epss	0.00049	https://api.first.org/data/v1/epss?cve=CVE-2025-49125
epss	0.00049	https://api.first.org/data/v1/epss?cve=CVE-2025-49125
epss	0.00049	https://api.first.org/data/v1/epss?cve=CVE-2025-49125
epss	0.00049	https://api.first.org/data/v1/epss?cve=CVE-2025-49125
epss	0.00049	https://api.first.org/data/v1/epss?cve=CVE-2025-49125
epss	0.00049	https://api.first.org/data/v1/epss?cve=CVE-2025-49125
epss	0.00049	https://api.first.org/data/v1/epss?cve=CVE-2025-49125
epss	0.00049	https://api.first.org/data/v1/epss?cve=CVE-2025-49125
epss	0.00049	https://api.first.org/data/v1/epss?cve=CVE-2025-49125
epss	0.00053	https://api.first.org/data/v1/epss?cve=CVE-2025-49125
epss	0.00053	https://api.first.org/data/v1/epss?cve=CVE-2025-49125
epss	0.0007	https://api.first.org/data/v1/epss?cve=CVE-2025-49125
epss	0.0007	https://api.first.org/data/v1/epss?cve=CVE-2025-49125
epss	0.0007	https://api.first.org/data/v1/epss?cve=CVE-2025-49125
epss	0.0007	https://api.first.org/data/v1/epss?cve=CVE-2025-49125
epss	0.0007	https://api.first.org/data/v1/epss?cve=CVE-2025-49125
epss	0.0007	https://api.first.org/data/v1/epss?cve=CVE-2025-49125
epss	0.0007	https://api.first.org/data/v1/epss?cve=CVE-2025-49125
epss	0.0007	https://api.first.org/data/v1/epss?cve=CVE-2025-49125
epss	0.0007	https://api.first.org/data/v1/epss?cve=CVE-2025-49125
epss	0.0007	https://api.first.org/data/v1/epss?cve=CVE-2025-49125
apache_tomcat	Moderate	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49125
cvssv3.1	7.4	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-wc4r-xq3c-5cf3
generic_textual	MODERATE	https://github.com/apache/tomcat
generic_textual	MODERATE	https://github.com/apache/tomcat/commit/7617b9c247bc77ed0444dd69adcd8aa48777886c
generic_textual	MODERATE	https://github.com/apache/tomcat/commit/9418e3ff9f1f4c006b4661311ae9376c52d162b9
generic_textual	MODERATE	https://github.com/apache/tomcat/commit/d94bd36fb7eb32e790dae0339bc249069649a637
cvssv3.1	7.5	https://lists.apache.org/thread/m66cytbfrty9k7dc4cg6tl1czhsnbywk
generic_textual	MODERATE	https://lists.apache.org/thread/m66cytbfrty9k7dc4cg6tl1czhsnbywk
ssvc	Track	https://lists.apache.org/thread/m66cytbfrty9k7dc4cg6tl1czhsnbywk
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2025-49125
archlinux	High	https://security.archlinux.org/AVG-2888
archlinux	High	https://security.archlinux.org/AVG-2889
generic_textual	MODERATE	https://tomcat.apache.org/security-10.html
generic_textual	MODERATE	https://tomcat.apache.org/security-11.html
generic_textual	MODERATE	https://tomcat.apache.org/security-9.html
generic_textual	MODERATE	http://www.openwall.com/lists/oss-security/2025/06/16/2

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-49125.json
		https://api.first.org/data/v1/epss?cve=CVE-2025-49125
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/apache/tomcat
		https://github.com/apache/tomcat/commit/7617b9c247bc77ed0444dd69adcd8aa48777886c
		https://github.com/apache/tomcat/commit/9418e3ff9f1f4c006b4661311ae9376c52d162b9
		https://github.com/apache/tomcat/commit/d94bd36fb7eb32e790dae0339bc249069649a637
		https://lists.apache.org/thread/m66cytbfrty9k7dc4cg6tl1czhsnbywk
		https://nvd.nist.gov/vuln/detail/CVE-2025-49125
		https://tomcat.apache.org/security-10.html
		https://tomcat.apache.org/security-11.html
		https://tomcat.apache.org/security-9.html
		http://www.openwall.com/lists/oss-security/2025/06/16/2
1108114		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108114
2373018		https://bugzilla.redhat.com/show_bug.cgi?id=2373018
AVG-2888		https://security.archlinux.org/AVG-2888
AVG-2889		https://security.archlinux.org/AVG-2889
cpe:2.3:a:apache:tomcat::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat::::::::
CVE-2025-49125		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49125
GHSA-wc4r-xq3c-5cf3		https://github.com/advisories/GHSA-wc4r-xq3c-5cf3
RHSA-2025:11695		https://access.redhat.com/errata/RHSA-2025:11695
RHSA-2025:11696		https://access.redhat.com/errata/RHSA-2025:11696
RHSA-2025:11741		https://access.redhat.com/errata/RHSA-2025:11741
RHSA-2025:11742		https://access.redhat.com/errata/RHSA-2025:11742
RHSA-2025:14177		https://access.redhat.com/errata/RHSA-2025:14177
RHSA-2025:14178		https://access.redhat.com/errata/RHSA-2025:14178
RHSA-2025:14179		https://access.redhat.com/errata/RHSA-2025:14179
RHSA-2025:14180		https://access.redhat.com/errata/RHSA-2025:14180
RHSA-2025:14181		https://access.redhat.com/errata/RHSA-2025:14181
RHSA-2025:14182		https://access.redhat.com/errata/RHSA-2025:14182
RHSA-2025:14183		https://access.redhat.com/errata/RHSA-2025:14183

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-49125.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://lists.apache.org/thread/m66cytbfrty9k7dc4cg6tl1czhsnbywk

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-17T14:06:30Z/ Found at https://lists.apache.org/thread/m66cytbfrty9k7dc4cg6tl1czhsnbywk

Exploit Prediction Scoring System (EPSS)

Percentile	0.15155
EPSS Score	0.00049
Published At	July 30, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-31T08:03:15.905753+00:00	Apache Tomcat Importer	Import	https://tomcat.apache.org/security-11.html	37.0.0